Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Doctoral thesis
for the degree of doktor ingenir
Trondheim, December 2005
Norwegian University of
Science and Technology
Faculty of Engineering Science and Technology
Department of Production and Quality Engineering
NTNU
Norwegian University of Science and Technology
Doctoral thesis
for the degree of doktor ingenir
Faculty of Engineering Science and Technology
Department of Production and Quality Engineering
Snorre Sklet
ISBN 82-471-7742-0 (printed ver.)
ISBN 82-471-7741-2 (electronic ver.)
ISSN 1503-8181
Doctoral Theses at NTNU, 2006:3
Printed by Tapir Uttrykk
Doctoral Thesis
by
Snorre Sklet
Thesis - Summary
Summary
The main objective of the PhD project has been to develop concepts and methods
that can be used to define, illustrate, analyse, and improve safety barriers in the
operational phase of offshore oil and gas production platforms.
The main contributions of this thesis are;
Clarification of the term safety barrier with respect to definitions, classification,
and relevant attributes for analysis of barrier performance
Development and discussion of a representative set of hydrocarbon release
scenarios
Development and testing of a new method, BORA-Release, for qualitative and
quantitative risk analysis of hydrocarbon releases
Safety barriers are defined as physical and/or non-physical means planned to
prevent, control, or mitigate undesired events or accidents. The means may range
from a single technical unit or human actions, to a complex socio-technical system.
It is useful to distinguish between barrier functions and barrier systems. Barrier
functions describe the purpose of safety barriers or what the safety barriers shall do
in order to prevent, control, or mitigate undesired events or accidents. Barrier
systems describe how a barrier function is realized or executed. If the barrier system
is functioning, the barrier function is performed. If a barrier function is performed
successfully, it should have a direct and significant effect on the occurrence and/or
consequences of an undesired event or accident.
It is recommended to address the following attributes to characterize the
performance of safety barriers; a) functionality/effectiveness, b) reliability/
availability, c) response time, d) robustness, and e) triggering event or condition. For
some types of barriers, not all the attributes are relevant or necessary in order to
describe the barrier performance.
The presented hydrocarbon release scenarios include initiating events, barrier
functions introduced to prevent hydrocarbon releases, and barrier systems realizing
the barrier functions. Both technical and human/operational safety barriers are
considered. The initiating events are divided into five main categories; (1) human
iii
Thesis - Summary
and operational errors, (2) technical failures, (3) process upsets, (4) external events,
and (5) latent failures from design.
The development of the hydrocarbon release scenarios has generated new
knowledge about causal factors of hydrocarbon releases and safety barriers
introduced to prevent the releases. Collectively, the release scenarios cover the most
frequent initiating events and the most important safety barriers introduced to
prevent hydrocarbon releases.
BORA-Release is a new method for qualitative and quantitative risk analysis of the
hydrocarbon release frequency on oil and gas platforms. BORA-Release combines
use of barrier block diagrams/event trees, fault trees, and risk influence diagrams in
order to analyse the risk of hydrocarbon release from a set of hydrocarbon release
scenarios.
Use of BORA-Release makes it possible to analyse the effect on the hydrocarbon
release frequency of safety barriers introduced to prevent hydrocarbon releases.
Further, BORA-Release may be used to analyse the effect on the barrier
performance of platform specific conditions of technical, human, operational, and
organisational risk influencing factors. Thus, BORA-Release may improve todays
quantitative risk analyses on two weak points; i) analysis of causal factors of the
initiating event hydrocarbon release (loss of containment), and ii) analysis of the
effect on the risk of human and organisational factors.
The main focus of this thesis is safety barriers introduced to prevent hydrocarbon
releases on offshore oil and gas production platforms. Thus, the results are primarily
useful for the oil and gas industry in their effort to control and reduce the risk of
hydrocarbon releases. The Norwegian oil and gas industry can use the results in their
work to fulfil the requirements to safety barriers and risk analyses from the
Petroleum Safety Authority. However, the concepts and methods may also be
applied in other industries (e.g., the process industry) and application areas (e.g., the
transport sector) in their effort to reduce the risk.
iv
Thesis - Preface
Preface
This thesis documents the work carried out during my PhD study at the Norwegian
University of Science and Technology (NTNU), Department of Production and
Quality Engineering. The research is carried out from 2001 to 2005.
The PhD study is financed by a scholarship from Vesta Forsikring and I am grateful
for their financial support.
I appreciate and acknowledge the support from my supervisor during the work with
the thesis, Professor Marvin Rausand at Department of Production and Quality
Engineering, NTNU.
Finally, thanks to all the people I have collaborated with during the PhD study;
colleagues at SINTEF (Stein Hauge, Helge Langseth, Trygve Steiro, and Knut ien)
and NTNU (Eirik Albrechtsen and Kjell Corneliussen), the BORA project team (Jan
Erik Vinnem, UiS, Terje Aven, UiS, and Jorunn Seljelid, Safetec), people from oil
companies and the authority (Rune Botnevik, Statoil, John Monsen, Hydro, Kjell
Sandve, ConocoPhillips, and Odd Tjelta, PSA), and all other people who have
participated in the research projects I have worked on during the PhD study.
Snorre Sklet
Table of contents
Summary ................................................................................................................... iii
Preface ......................................................................................................................v
Table of contents ...................................................................................................... vii
Introduction..................................................................................................3
1.1
1.2
1.3
1.4
Background ..................................................................................................3
Objectives ....................................................................................................5
Delimitations................................................................................................5
Structure of the report ..................................................................................6
Research approach and principles................................................................9
2.1
2.2
2.3
3
Scientific approach.......................................................................................9
Research principles ......................................................................................9
Concepts.....................................................................................................11
Main results................................................................................................13
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
Acronyms ...................................................................................................31
References..................................................................................................33
vii
PART II PAPERS
Paper 1 Safety barriers; definition, classification and performance
Paper 2 Hydrocarbon releases on oil and gas production platforms; Release
scenarios and safety barriers
Paper 3 Barrier and operational risk analysis of hydrocarbon releases (BORARelease); Part I Method description
Paper 4 Barrier and operational risk analysis of hydrocarbon releases (BORARelease); Part II Results from a case study
Paper 5 Comparison of some selected methods for accident investigation
Paper 6 Qualitative Analysis of Human, Technical and Operational Barrier
Elements during Well Interventions
Paper 7 Standardised procedures for Work Permits and Safe Job Analysis on the
Norwegian Continental Shelf
Paper 8 Challenges related to surveillance of safety functions
viii
1 Introduction
1.1 Background
In the regulations concerning health, environment, and safety within the petroleum
activities on the Norwegian Continental Shelf (NCS) issued in 2001 [1], the
Petroleum Safety Authority Norway (PSA) focuses on risk-informed principles and
safety barriers as important means to reduce the risk of accidents. This focus is also
prevailing in international regulations as the Seveso II directive [2] and the
Machinery directive [3], and in international standards [4-6].
No common definition of safety barriers has been found in the literature, even
though different aspects of the concept have been discussed in the literature [7-18],
required in legislations and standards, and applied in practice for several decades.
Different terms with similar meanings (e.g., barrier, defence, protection layer, safety
critical element, and safety function) have been used in various industries, sectors,
and countries. The two theorems of communication developed by Kaplan [19]; (1)
50 % of the problems in the world result from people using the same words with
different meanings, and (2) the other 50 % comes from people using different words
with the same meaning, support the need for clarifying the terms in order to avoid
misconceptions in communication about risk and safety barriers.
Although PSA has developed requirements to safety barriers, they have not given a
clear definition of the concept. Discussions have emerged on what is a safety barrier
within the Norwegian offshore industry, and different views exist. A clarification of
several terms as safety barrier, barrier function, barrier system, and barrier
performance will make it easier for the Norwegian offshore industry to fulfil the
requirements from PSA as regards safety barriers. Clear definitions will also make it
easier for PSA to manage their regulations.
This topic is also of interest due to the extended perspective on safety barriers that
has evolved the later years as described by Hollnagel [10], who writes; whereas the
barriers used to defend a medieval castle mostly were of a physical nature, the
modern principle of defence-in-depth combines different types of barriers from
protection against the release of radioactive materials to event reporting and safety
policies.
1.2 Objectives
The main objective of the PhD project has been to develop concepts and methods
that can be used to define, illustrate, analyse, and improve safety barriers in the
operational phase of offshore oil and gas production platforms.
Based on this main objective, the following objectives are developed for this thesis;
1.3 Delimitations
The main focus of this thesis is the use of the barrier concept within industrial
safety, and especially prevention of the realization of hazards that may lead to major
accidents. Thus, occupational accidents have not been explicitly discussed.
The work is limited to the accident type process accident (hydrocarbon releases, fire
and explosion) that is one of the main contributors to the total risk of major
accidents on oil and gas producing platforms. The work focuses on scenarios that
may lead to hydrocarbon releases and safety barriers introduced to prevent such
releases. Thus, consequence reducing barriers are not treated. Some results are also
presented from a study of barriers preventing release of hydrocarbons during
wireline operations.
The aim of the work has been to ensure the safety during the operational phase of
the life cycle of offshore oil and gas production platforms with special emphasis on
operational safety barriers introduced to prevent hydrocarbon release. Consequently,
discussions about barriers introduced to prevent latent failures from the design or
construction phase are not covered in the thesis.
Another delimitation is that the work concentrates on safety issues, implying that
security issues as intended actions are not within the scope of the thesis.
Paper 1
Sklet, S., Safety barriers; definition, classification and performance. Journal of Loss
Prevention in the Process Industries (article in press, available online 20 January
2006).
Paper 2
Sklet, S., Hydrocarbon releases on oil and gas production platforms; Release
scenarios and safety barriers. Journal of Loss Prevention in the Process Industries
(article in press, available online 18 January 2006).
Paper 3
Aven, T., Sklet, S., and Vinnem, J.E., Barrier and operational risk analysis of
hydrocarbon releases (BORA-Release); Part I Method description. Journal of
Hazardous Materials (submitted for publication 2 December 2005).
Paper 4
Sklet, S., Vinnem, J.E., and Aven, T., Barrier and operational risk analysis of
hydrocarbon releases (BORA-Release); Part II Results from a case study. Journal of
Hazardous Materials (submitted for publication 2 December 2005).
Paper 5
Sklet, S., Comparison of some selected methods for accident investigation. Journal
of Hazardous Materials (2004), 111, 1 3, 29-37.
Paper 6
Sklet S., Steiro T., & Tjelta O., Qualitative Analysis of Human, Technical and
Operational Barrier Elements during Well Interventions. ESREL 2005, Tri City,
Poland.
Paper 7
Botnevik, R., Berge, O., and Sklet, S., Standardised procedures for Work Permits
and Safe Job Analysis on the Norwegian Continental Shelf. SPE Paper Number
86629, Society of Petroleum Engineers, 2004.
Paper 8
Corneliussen, K., and Sklet, S., Challenges related to surveillance of safety
functions. ESREL 2003, Maastricht.
In addition, several papers not included in this thesis have been published during the
PhD-study:
Sklet, S., Aven, T., Hauge, S., & Vinnem, J.E., Incorporating human and
organizational factors in risk analysis for offshore installations. ESREL 2005, Tri
City, Poland.
Sklet, S., Storulykker i Norge de siste 20 rene. Kap. 7 i Fra flis i fingeren til
ragnarok. Tapir Akademisk Forlag, Trondheim, 2004.
Hovden, J., Sklet, S. og Tinmannsvik, R.K., I etterpklokskapens klarsyn: Gransking
og lring av ulykker. Kap. 8 i Fra flis i fingeren til ragnarok. Tapir Akademisk
Forlag, Trondheim, 2004.
Sklet, S., and Hauge, S., Reflections on the Concept of safety Barriers. PSAM 7 ESREL 2004, Berlin.
Sklet, S., Onnettomuustutkinnan
Turvatekniikan Keskus, Helsinki.
menetelmi.
TUKES-julkaisu
6/2004,
Sklet, S., Methods for accident investigation. ROSS (NTNU) 200208, Report (75
pages), Trondheim.
Communication of
results
Multidisciplinary
research projects
Industry
cooperation
PhD thesis
Review of
literature
Review of industry
practice
Review of R&Dprojects
Barrier and operational risk analysis (BORA project) [43], sponsored by The
Norwegian Research Council, The Norwegian Oil Industry Association
(OLF), Health and Safety Executive UK, and the Petroleum Safety
Authority Norway
Indicators for non-physical barriers [44], sponsored by the Petroleum Safety
Authority Norway
Future safety analyses for the assessment of technical and organizational
changes [45], sponsored by Norsk Hydro
Guidelines for Work Permit and Safe Job Analysis [46, 47], sponsored by
Working Together for Safety/The Norwegian Oil Industry Association
(OLF)
Methods for accident investigations [48], sponsored by the Petroleum Safety
Authority Norway.
10
Another important principle is the cooperation with personnel from the industry.
This cooperation is ensured through involvement of industry personnel in the
research projects and accomplishment of a case study as part of the BORA project.
Finally, the results from the research are communicated to the academia and the
industry at regular intervals. The results are communicated both orally at
conferences, seminars, workshops, and project meeting, and written in papers,
project memos, and reports. The purpose of the communication of the research
results is two-sided; two spread the results, and to receive comments from the
outside world.
These principles have contributed to evaluation and quality assurance of the research
at regular intervals since the input from the outside world has influenced the
research work and thus influenced the results presented in this PhD thesis.
2.3 Concepts
Use of risk-informed principles necessitates an understanding of the word risk.
Many definitions of the word exists in the literature, and several views exist,
illustrated by the following history [19]; One of the first initiatives from the Society
for Risk Analysis was to establish a committee to define the word risk. The
committee laboured for 4 years and than gave up, saying in its final report, that
maybe it is better not to define risk and let each author define it in his own way,
emphasizing that each should explain clearly what way that is.
A definition of risk adopted from Kaplan [49] is applied in this thesis. Kaplan states
that the question What is the risk? is really three questions; What can happen?,
How likely is that to happen?, and What are the consequences?. Risk may then
be expressed as a (complete) set of triplets (Si, Li, Xi), where Si denotes scenario i, Li
denotes the likelihood, and Xi the consequences.
Hydrocarbon release is defined as gas or oil leaks (including condensate) from the
process flow, well flow, or flexible risers with a release rate greater than 0.1 kg/s.
Smaller leaks are called minor releases or diffuse discharges.
11
3 Main results
The following subsections comprise a summary of the main results from the
research. Detailed information about the results is presented in the research papers in
part II of the thesis.
13
function that has at most an indirect effect is not classified as a barrier function, but
as a risk influencing factor/function. A barrier function should preferably be defined
by a verb and a noun, e.g., close flow and stop engine.
A barrier system is a system that has been designed and implemented to perform
one or more barrier functions.
A barrier system describes how a barrier function is realized or executed. If the
barrier system is functioning, the barrier function is performed. A barrier element is
a component or a subsystem of a barrier system that by itself is not sufficient, to
perform a barrier function. A barrier subsystem may comprise several redundant
barrier elements. In this case, a specific barrier element does not need to be
functioning for the system to perform the barrier function. This is the case for
redundant gas detectors connected in a k-out-of-n configuration. The barrier system
may consist of different types of system elements, e.g., physical and technical
elements (hardware, software), operational activities executed by humans, or a
combination thereof.
14
Barrier function
What to do
Realized by:
Barrier system
How to do it
Passive
Physical
Active
Human/operational
Safety Instrumented
System (SIS)
Technical
Other technology
safety-related system
Human/operational
External risk
reduction facilites
15
16
are not discussed any further in this thesis, but should be addressed as part of a total
analysis of the barriers.
17
Barrier function
realized by a
barrier system
Safe state
Functions
Fails
Undesired event
3.5 BORA-Release
A method, called BORA-Release, for qualitative and quantitative risk analyses of
the platform specific hydrocarbon release frequency on oil and gas production
18
platforms is developed within the BORA project1. The method is described in Paper
3. BORA-Release makes it possible to analyse the effects on the release frequency
of safety barriers introduced to prevent hydrocarbon releases, and analyse how
platform specific conditions of technical, human, operational, and organisational risk
influencing factors influence the barrier performance, and thus the risk.
BORA-Release combines use of barrier block diagram/event trees, fault trees, and
risk influence diagrams.
BORA-Release comprises the following main steps:
1) Development of a basic risk model including hydrocarbon release scenarios
and safety barriers (see Paper 2 for a description of the scenarios)
2) Modelling the performance of safety barriers
3) Assignment of generic input data and risk quantification based on these data
4) Development of risk influence diagrams
5) Scoring of risk influencing factors (RIFs)
6) Weighting of risk influencing factors
7) Adjustment of generic input data
8) Recalculation of the risk in order to determine the platform specific risk
Each step in BORA-Release is described in detail in Paper 3.
The aim of the BORA project [43] is to perform a detailed and quantitative modeling of
barrier performance including barriers to prevent the occurrence of initiating events as
well as barriers to reduce the consequences.
19
20
What kind of accident models that have influenced the method is assessed in column
five. The following accident models are used (e.g., see [55, 56] for description of
accident models);
A
B
C
D
E
Causal-sequence model
Process model
Energy model
Logical tree model
SHE-management models
Whether the different methods are inductive, deductive, morphological or nonsystem-oriented is assessed in column six. In the next column, the different
investigation methods are categorized as primary or secondary methods. Primary
methods are stand-alone techniques, while secondary methods provide special input
as supplement to other methods. The last column assesses the need for education and
training in order to use the methods. The terms "Expert", "Specialist", and "Novice"
are used.
21
The table illustrates that several of the methods include analysis of safety barriers.
However, there is no common practice in the Norwegian oil and gas industry with
respect to how safety barriers are treated in accident investigations.
22
23
The clarification of terms is helpful for the Norwegian offshore industry in order to
fulfil the requirements to safety barriers from the Petroleum Safety Authority
Norway [1].
The development of the hydrocarbon release scenarios has generated new
knowledge about causal factors of hydrocarbon releases and safety barriers
introduced to prevent the releases. Collectively, the scenarios cover the most
frequent initiating events and give an overview of the most important safety barriers
introduced to prevent hydrocarbon releases.
BORA-Release may be applied to analyse the platform specific hydrocarbon release
frequency for selected systems on a specific platform. The method may be used to
analyse the effects on the release frequency of safety barriers introduced to prevent
hydrocarbon releases, and to study the effects on the barrier performance of platform
specific conditions of technical, human, operational, and organisational risk
influencing factors.
Roughly assessed, the main objective of the PhD project; to develop concepts and
methods that can be used to define, illustrate, analyse, and improve safety barriers
in the operational phase of offshore oil and gas production platforms, is fulfilled.
However, there is still need for further research concerning several of the detailed
objectives developed for the thesis, and each of these detailed objectives is discussed
in the following.
25
26
27
28
29
applied in other industries (e.g., the process industry) and application areas (e.g., the
transport sector) in their effort to reduce the risk.
30
5 Acronyms
AEB
ARAMIS
BORA
ESD
ESREL
HC
IEC
ISO
MORT
MTO
NCS
NTNU
OLF
PSA
QRA
R&D
RIF
ROSS
SCAT
SHE
SIL
SINTEF
SIS
SJA
SPE
STEP
UiS
WP
31
6 References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
33
[16] Neogy, P., Hanson, A. L., Davis, P. R. and Fenstermacher, T. E., Hazard and
Barrier Analysis Guidance Document, Rev. 0, US Department of Energy
(DoE), EH-33 Office of Operating Experience Analysis and Feedback, 1996.
[17] Svenson, O., The Accident Evolution and Barrier Function (AEB) Model
Applied to Incident Analysis in the Processing Industries, Risk Analysis. 11, 3
(1991) 499-507.
[18] Reason, J., Managing the risks of organizational accidents, Ashgate, Aldershot,
1997.
[19] Kaplan, S., The Words or Risk Analysis, Risk Analysis. 17, 4 (1997) 407-417.
[20] Hopkins, A., Lessons from Longford: the Esso gas plant explosion, CCH
Australia Ltd, Sydney, 2000.
[21] Cullen, W. D., The public inquiry into the Piper Alpha disaster, Hmso,
London, 1990.
[22] Vaughan, D., The Challenger launch decision : risky technology, culture, and
deviance at NASA, University of Chicago Press, Chicago, 1996.
[23] CAIB, The Colombia Accident Investigation Board Report - Volume 1,
http://www.caib.us/, 2003.
[24] NOU-2000:31, Hurtigbten MS Sleipners forlis 26. november 1999, Justis- og
politidepartementet, Oslo, Norge, 2000.
[25] Cullen, W. D., The Ladbroke Grove Rail Inquiry: Report, Part 1, HSE Books,
United Kingdom, 2001.
[26] NOU, staulykken, 4. januar 2000., Justis- og politidepartementet, Oslo,
Norge, 2000.
[27] Sklet, S., Storulykker i Norge de siste 20 rene, In Lydersen, S. (eds), Fra flis i
fingeren til ragnarok, Tapir Akademisk Forlag, Trondheim, 2004.
[28] ien, K., A Focused Literature Review of Organizational Factors' Effect on
Risk. Paper II in the Doctoral thesis Risk Control of Offshore Installations,
NTNU, Trondheim, Norway, 2001.
[29] Vinnem, J. E., Aven, T., Hundseid, H., Vassmyr, K. A., Vollen, F. and ien,
K., Risk assessments for offshore installations in the operational phase,
ESREL 2003, Maastricht, The Netherlands, 2003.
[30] Andersen, H., Casal, J., Dandrieux, A., Debray, B., De Dianous, V., Duijm, N.
J., Delvosalle, C., Fievez, C., Goossens, L., Gowland, R. T., Hale, A. J.,
Hourtolou, D., Mazzarotta, B., Pipart, A., Planas, E., Prats, F., Salvi, O. and
Tixier, J., ARAMIS - User Guide, EC Contract number EVG1-CT-200100036, 2004.
[31] Bellamy, L. J., Papazoglou, I. A., Hale, A. R., Aneziris, O. N., Ale, B. J. M.,
Morris, M. I. and Oh, J. I. H., I-RISK - Development of an Integrated
Technical and Management Risk Control and Monitoring Methodology for
Managing and Quantifying On-Site and Off-Site Risks. Main Report. Contract
No: ENVA-CT96-0243, 1999.
34
[32] Davoudian, K., Wu, J.-S. and Apostolakis, G. E., Incorporating organisational
factors into risk assessment through the analysis of work processes, Reliability
Engineering and System Safety. 45 (1994) 85-105.
[33] Davoudian, K., Wu, J.-S. and Apostolakis, G. E., The work process analysis
model (WPAM-II), Reliability Engineering and System Safety. 45 (1994) 107
- 125.
[34] Embrey, D. E., Incorporating management and organisational factors into
probabilistic safety assessment, Reliability Engineering and System Safety. 38,
1-2 (1992) 199 - 208.
[35] Modarres, M., Mosleh, A. and Wreathall, J. A., Framework for assessing
influence of organisation on plant safety, Reliability Engineering & System
Safety. 45 (1994) 157 - 171.
[36] Murphy, D. M. and Pat-Cornell, E. M., The SAM Framework: Modeling the
Effects of Management Factors on Human Behavior in Risk Analysis, Risk
Analysis. 16, 4 (1996).
[37] ien, K. and Sklet, S., Organisational risk indicators Pilot study Statfjord A (In
Norwegian), SINTEF-report STF38 A00421, SINTEF, Trondheim, Norway,
2000.
[38] Pitblado, R. M., Williams, J. C. and Slater, D. H., Quantitative Assessment of
Process Safety Programs, Plant/Operations Progress. 9, 3 (1990).
[39] Mosleh, A. and Goldfeiz, E. B., An Approach for Assessing the Impact of
Organisational Factors on Risk, Technical research report, CTRS, A. James
Clark School of Engineering, University of Maryland at College Park, 1996.
[40] ien, K., A framework for the establishment of organizational risk indicators,
Reliability Engineering & System Safety. 74, 2 (2001) 147-167.
[41] Kafka, P., The process of safety management and decision making, ESREL
2005, Tri City, Poland, 2005.
[42] SfS, Barriers - out of the fog, towards increased safety (in Norwegian Barrierer - ut av tkehavet, mot bedre sikkerhet), Together for Safety, OLF.,
Stavanger, Norway, 2004.
[43] Vinnem, J. E., Aven, T., Hauge, S., Seljelid, J. and Veire, G., Integrated
Barrier Analysis in Operational Risk Assessment in Offshore Petroleum
Operations, PSAM7 - ESREL'04, Berlin, 2004.
[44] Sklet, S. and Steiro, T., Lekkasje i forbindelse med kabeloperasjoner; Tekniske
og operasjonelle forholds betydning for lekkasjer med storulykkespotensiale,
STF50 A05177, SINTEF, Trondheim, 2005.
[45] ien, K., Hauge, S., Sklet, S. and Monsen, J., Barrier Change Analysis
Method, PSAM 7 / ESREL '04, Berlin, 2004.
[46] OLF, OLF Recommended Guidelines for Common Model for Work Permits
(WP), No.: 088, www.samarbeidforsikkerhet.no, 2003.
[47] OLF, OLF Recommended Guidelines for Common Model for Safe Job
Analysis (SJA), No. 090, www.samarbeidforsikkerhet.no, 2003.
35
[48] Tinmannsvik, R. K., Sklet, S. and Jersin, E., Methods for accident
investigations; A survey (In Norwegian), STF38 A04422, SINTEF, Dept. of
Safety and Reliability, Trondheim, 2004.
[49] Kaplan, S., Risk Assessment and Risk Management - Basic Concepts and
Terminology, In Knief, R. A. (eds), Risk Management - Expanding Horizons
in Nuclear Power and Other Industries, Hemisphere Publishing Corporation,
USA, 1991.
[50] Hale, A., Note on barriers and delivery systems, PRISM conference, Athens,
2003.
[51] Rausand, M. and Hyland, A., System reliability theory: models, statistical
methods, and applications, Wiley-Interscience, Hoboken, N.J., 2004.
[52] PSA, Trends in risk levels on the Norwegian Continental Shelf Main report
Phase 4 2003 (In Norwegian; Utvikling i risikoniv norsk sokkel Hovedrapport
Fase 4 2003), The Petroleum Safety Authority, Stavanger, 2004.
[53] statistics, Britannica Student Encyclopedia, Encyclopdia Britannica Online.
10. nov. 2005 <http://search.eb.com/ebi/article-208648>, 2005.
[54] Rasmussen, J., Risk management in a dynamic society: a modelling problem,
Safety Science. 27, 2 - 3 (1997) 183 - 213.
[55] Kjelln, U., Prevention of accidents through experience feedback, Taylor &
Francis, London, 2000.
[56] Hovden, J., Sklet, S. and Tinmannsvik, R. K., I etterpklokskapens klarsyn:
Gransking og lring av ulykker., In Lydersen, S. (eds), Fra flis i fingeren til
ragnarok., Tapir Akademisk Forlag, Trondheim, 2004.
[57] DoE, Conducting Accident Investigations DOE Workbook, Revision 2, U.S.
Department of Energy, Washington D.C, 1999.
[58] Pat-Cornell, E. M., Learning from the Piper Alpha accident: a post-mortem
analysis of technical and organizational factors, Risk Analysis. 13, 2 (1993).
[59] CCPS, Guidelines for Investigating Chemical Porcess Incidents, Center for
Chemical Process Safety of the American Institute of Chemical Engineers,
New York, 1992.
[60] Hendrick, K. and Benner, L. J., Investigating Accidents with STEP, Marcel
Dekker, New York, 1987.
[61] Bento, J.-P., Menneske - Teknologi - Organisasjon Veiledning for
gjennomfring av MTO-analyser. Kurskompendium for Oljedirektoratet,
Oversatt av Statoil,, Oljedirektoratet, Stavanger, Norway, 2001.
[62] Rollenhagen, C., MTO - an introduction; The relationship between humans,
technology, and organisation (In swedish; MTO - en introduktion; Sambanden
mnniska, teknik och organisation), Utbildningshuset, Lund, 1997.
[63] Groeneweg, J., Controlling the controllable: The management of safety,
DSWO Press, Leiden, The Netherlands, 1998.
[64] Rasmussen, J. and Svedung, I., Proactive Risk Management in a Dynamic
Society, Swedish Rescue Services Agency, Stockholm, 2000.
[65] Kletz, T. A., Learning from Accidents, Gulf Prof. Publishing, UK, 2001.
36
PART II PAPERS
Paper 1 Safety barriers: Definition, classification, and performance
Paper 2 Hydrocarbon releases on oil and gas production platforms:
Release scenarios and safety barriers
Paper 3 Barrier and operational risk analysis of hydrocarbon releases
(BORA-Release); Part I Method description
Paper 4 Barrier and operational risk analysis of hydrocarbon releases
(BORA-Release); Part II Results from a case study
Paper 5 Comparison of some selected methods for accident
investigation
Paper 6 Qualitative Analysis of Human, Technical and Operational
Barrier Elements during Well Interventions
Paper 7 Standardised procedures for Work Permits and Safe Job
Analysis on the Norwegian Continental Shelf
Paper 8 Challenges related to surveillance of safety functions
Paper 1
Snorre Sklet
Journal of Loss Prevention in the Process Industries
Article in press, available online 20 January 2006
ARTICLE IN PRESS
Abstract
In spite of the fact that the concept of safety barriers is applied in practice, discussed in the literature, and even required in legislation
and standards, no common terminology that is applicable across sectors have been developed of the concept of safety barriers. This paper
focuses on safety barriers and addresses the following aspects; denitions and understanding of what is a safety barrier, classication of
safety barriers, and attributes of importance for the performance of safety barriers. Safety barriers are physical or non-physical means
planned to prevent, control, or mitigate undesired events or accidents. Barrier systems may be classied according to several dimensions,
for example as passive or active barrier systems, and as physical, technical, or human/operational barrier systems. Several attributes are
necessary to include in order to characterize the performance of safety barriers; functionality/effectiveness, reliability/availability,
response time, robustness, and nally a description of the triggering event or condition. For some types of barriers, not all the attributes
are relevant or necessary in order to describe the barrier performance.
r 2006 Elsevier Ltd. All rights reserved.
Keywords: Safety barrier; Defence-in-depth; Barrier performance; Risk analysis
1. Introduction
Safety barriers have been used to protect humans and
property from enemies and natural hazards since the origin
of human beings. When human-induced hazards were
created due to the industrialism, safety barriers were
implemented to prevent accidents caused by these hazards.
The concept of safety barriers is often related to an
accident model called the energy model (see Fig. 1). Gibson
(1961) pioneered the development of the energy model,
while Haddon (1980) developed the model further as he
presented his ten strategies for accident prevention. Safety
barriers also play an important role in the Management
Oversight & Risk Tree (MORT) concept (Johnson, 1980).
During recent years, an extended perspective on safety
barriers has evolved. This is emphasized by Hollnagel
(2004) who states that whereas the barriers used to defend
a medieval castle mostly were of a physical nature, the
modern principle of defence-in-depth combines different
types of barriersfrom protection against the release of
Tel.: +47 73 59 29 02; fax: +47 73 59 28 96.
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Hazard
(energy source)
Barrier
Victim
(vulnerable target)
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
ARTICLE IN PRESS
4
Corrosion
1
2
Loss of
containment
Failure during
flange
assembling
Fire
Loss of
human life
5
4
3
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Initial phase
Lack of control
Concluding phase
Loss of control
Prevent
Prevent
Avoid
Prevent
Injury phase
Energy exposure
Protect
Control
Mitigate
Control
Protect
(Hollnagel, 2004)
(IEC 61508/11
ISO 13702
(Duijm et al., 2004)
ARTICLE IN PRESS
6
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Table 1
Different classications of barriers as physical or non-physical
Terms
References
Physical
Hard defence
Physical
Technical
Physical
Technical
Technical
Technical
Technical
Physical
Hardware
Sensor
(instrument,
mechanical or
human)
Non-physical
Soft defence
Administrative
Human factors/organizational
Procedural/administrative
Human actions
Human/organizational
Human
Organizational
Operational
Management
Behavioural
Decision making
process
(logic solver, relay,
mechanical device,
human)
Action
(instrument,
mechanical, or
human)
ARTICLE IN PRESS
8
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Barrier function
What to do
Realized by:
Barrier system
How to do it
Passive
Physical
Active
Human/operational
Safety Instrumented
System (SIS)
Technical
Other technology
safety-related system
Human/operational
External risk
reduction facilites
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
10
Table 2
Requirements to barrier quality (Hollnagel, 2004; Taylor, 1988)
Quality/criterion
Specic requirement
Adequacy
Availability, reliability
Robustness
Specicity
The effects of activating the barrier must not lead to other accidents.
The barrier shall not destroy that which it protects.
barrier systems; validity (the ability to handle the deviations, threats, etc., meant to deal with), reliability (the
ability to full specic properties on demand), completeness
(whether it is necessary to implement more barriers), and
maintainability (a measure of how easy it is to maintain the
barrier system).
4.2. Recommendations and comments
Effectiveness
Response time
Level of confidence
Functionality/effectiveness
Reliability/availability
Response time
Robustness
Triggering event or condition
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Table 3
Safety integrity levels (IEC:61511)
Safety integrity level (SIL)
4
3
2
1
X10
X10
X10
X10
5
4
3
2
to
to
to
to
o10
o10
o10
o10
4
3
2
1
11
9
8
7
6
to
to
to
to
o10
o10
o10
o10
8
7
6
5
ARTICLE IN PRESS
12
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Hollnagel, E. (1999). MemoAccident analysis and barrier functions.
Halden: IFE.
Hollnagel, E. (2004). Barrier and accident prevention. Hampshire, UK:
Ashgate.
Hopwood, A. G. (1974). Accounting and human behaviour. London:
Haymarket Publishing.
IAEA. (1999). Basic safety principles for nuclear power plants: 75-INSAG3, rev.1. Vienna: The International Atomic Energy Agency.
IEC:61508. (1998). Part 17 Functional safety of electrical/electronic/
programmable electronic safety-related systems. Geneva: International
Electrotechnical Commission.
IEC:61511. (2002). Functional safetySafety instrumented systems for the
process industry sector. Geneva: International Electrotechnical Commission.
ISO:13702. (1999). Petroleum and natural gas industriesControl and
mitigation of fires and explosions on offshore production installations
Requirements and guidelines. Geneva: International Organization for
Standardization.
ISO:17776. (2000). Petroleum and natural gas industriesOffshore
production installationsGuidelines on tools and techniques for hazard
identification and risk assessment. Geneva: International Organization
for Standardization.
Johnson, P., & Gill, J. (1993). Management and organizational behaviour.
London: Paul Chapman Publishing Ltd.
Johnson, W. G. (1980). MORT safety assurance systems. New York:
Marcel Dekker.
Kaplan, S. (1990). Bayes is for eagles. IEEE Transactions on Reliability,
53, 457481.
Kecklund, L. J., Edland, A., Wedin, P., & Svenson, O. (1996). Safety
barrier function analysis in a process industry: A nuclear power
application. International Journal of Industrial Ergonomics, 17(3),
275284.
Kirwan, B. (1994). A guide to practical human reliability assessment.
London: Taylor & Francis.
Kjellen, U. (2000). Prevention of accidents through experience feedback.
London: Taylor & Francis.
Kjellen, U., & larsson, T. (1981). Investigating accidents and reducing
risksA dynamic approach. Journal of occupational accidents, 3,
129140.
Leveson, N. (1995). SafeWare: System safety and computers. Reading,
MA: Addison-Wesley.
Neogy, P., Hanson, A. L., Davis, P. R., & Fenstermacher, T. E. (1996).
Hazard and Barrier analysis guidance document, Rev. 0. US Department of Energy (DoE), EH-33 Ofce of Operating Experience Analysis
and Feedback.
OED. (2005). Oxford English dictionary online. Oxford: Oxford University
Press.
OLF. (2001). Recommended guidelines for the application of IEC 61508 and
IEC 61511 in the petroleum activities on the Norwegian Continental
Shelf. Stavanger, Norway: The Norwegian Oil Industry Association.
PSA. (2001). Regulations relating to management in the petroleum activities
(The Management Regulations). 3 September 2001. Norway, Stavanger: Petroleum Safety Authority.
PSA. (2002). Guidelines to regulations relating to management in the
petroleum activities (The management regulations). Norway, Stavanger: Petroleum Safety Authority.
PSA/RNNS. (2002). The development in the risk level on the Norwegian
Continental ShelfRequirements for registration of the performance of
safety barriers. Letter to the oil companies (in Norwegian). Rev 9.
17.06.2002. Norway, Stavanger: Petroleum Safety Authority.
13
Paper 2
Snorre Sklet
Journal of Loss Prevention in the Process Industries
Article in press, available online 18 January 2006
ARTICLE IN PRESS
Abstract
The main objective of this paper is to present and discuss a set of scenarios that may lead to hydrocarbon releases on offshore oil
and gas production platforms. Each release scenario is described by an initiating event (i.e., a deviation), the barrier functions introduced
to prevent the initiating event from developing into a release, and how the barrier functions are implemented in terms of barrier
systems. Both technical and human/operational safety barriers are considered. The initiating events are divided into ve main categories:
(1) human and operational errors, (2) technical failures, (3) process upsets, (4) external events or loads, and (5) latent failures
from design. The release scenarios may be used as basis for analyses of: (a) the performance of safety barriers introduced to
prevent hydrocarbon releases on specic platforms, (b) the platform specic hydrocarbon release frequencies in future quantitative risk
analyses, (c) the effect on the total hydrocarbon release frequency of the safety barriers and risk reducing measures (or risk increasing
changes).
r 2005 Elsevier Ltd. All rights reserved.
Keywords: Hydrocarbon release; Loss of containment; Safety barrier; Risk analysis; Major accident
1. Introduction
Hydrocarbon releases are a main contributor to the
major accident risk on oil and gas production platforms
(e.g., see ien, 2001). Fig. 1 shows the total number of
hydrocarbon releases with a release rate higher than 0.1 kg/s
in the process area on platforms on the Norwegian
Continental Shelf in the period 19962004 (PSA, 2005).
Until 1999, there was a declining trend, followed by some
years with uctuations. The total number of hydrocarbon
releases has been reduced both in 2003 and 2004. The
number of hydrocarbon releases with rate higher than 1 kg/s
has not decreased to the same degree (PSA, 2005). The
reduction from 2003 to 2004 has mainly taken place in the
lowest release rate group (0.11 kg/s). The data shows large
variations in the frequency of hydrocarbon releases on the
various platforms, which indicates a potential for reducing
the total release frequency. Data from 2001 to 2004 shows
Tel.: +47 73 59 29 02; fax: +47 73 59 28 96.
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
2. Research process
50
45
No. of leaks per year
40
35
30
25
20
15
10
5
0
1996
1997
1998
1999
2000
2001
2002
2003
2004
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Release
statistics
Review of
release statistics
Accident reports
Categorization
of causes
Study of
accident reports
Procedures
Drawings
Research papers
Standards
Description of a
set of accidents
Criteria for development of scenarios
- Initiating events
- Barrier functions
Platform
drawings
Development of
draft scenarios
Barrier Block
Diagrams (Draft)
Accident reports
Operational
personnel
Verification
of scenarios
Scenarios
Barrier Block
Diagrams
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
4
Initiating event
(Deviation from
normal situation)
Barrier function
realized by a
barrier system
"Safe state"
Functions
Fails
Undesired event
2.
3.
4.
5.
6.
7.
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Barrier functions
"Safe state"
Failure revealed
and corrected
Release
Barrier functions
Detection of erroneous
choice of hose
Erroneous choice or
hook up of
temporary hose
Initiating event
End event
Detection of valve(s) in
wrong positon
Valve in wrong position
after manual operation
End event
Detection of erroneous
hook-up
"Safe state"
Failure revealed
and corrected
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Initiating event
Barrier functions
End event
Refilling of water
when level is below
critical level
Water level in water
locks below critical level
Preventive
maintenance
"Safe state"
Failure revealed
and corrected
Release
Initiating event
Barrier functions
Detection of incorrect
fitting of flanges or bolts
End event
Self control of
work
Release
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Initiating event
Barrier functions
Develop isolation plan
for safe disassemling
Disassembling
of hydrocarbon
system
Correct plan
7
End event
Verify empty
segment
Isolation, draining,
blinding and purging
according to plan
"Safe state"
Verification of
work according to
plan
Verification of plan
and approval of WP
Isolation, draining,
blinding and purging
according to plan
Verification of
emptied system
Release
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
8
Initiating event
Attempt to open
isolation valve or
blinding
Manual
or automatic
activation
Manual
Barrier functions
Prevention of
undesired activation
of valve/blinding
End event
Locking of
manual actuator/
valve/ blinding
"Safe state"
Failure revealed
and corrected
Automatic
Labeling of
valve / blinding
Release
Disconnecting of
actuator
"Safe state"
Failure revealed
and corrected
Release
Initiating event
Degradation of
valve sealing
beyond critical limit
Barrier functions
Maintain valve
Detect diffuse or
sealing to prevent
minor release
degradation
"Safe state"
Failure revealed
and corrected
Preventive
maintenance
Minor
Significant
End event
Area based
leak search
"Safe state"
Minor release
revealed
Release
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Barrier functions
Detection of
corrosion
Internal corrosion
beyond critical limit
End event
Detect diffuse or
minor release
"Safe state"
Corrosion
revealed
Inspection
Condition
monitoring
Area based
leak search
Minor
"Safe state"
Minor release
revealed
Significant
Release
Initiating event
Barrier functions
Detection of
corrosion
External corrosion
beyond critical limit
"Safe state"
External corrosion
revealed
Inspection
Minor
Significant
End event
Detect diffuse or
minor release
Area based
leak search
"Safe state"
Minor release
revealed
Release
ARTICLE IN PRESS
10
Barrier functions
Shut off inflow
Pressure
above critical
limit
Pressure relief
End event
Remain integrity
of the
containment
"Safe state"
Pressure under
control
Primary pressure
protection (PSD)
Secondary
pressure
protection (PSV)
Residual strength
in steel
"Safe state"
Pressure <
tolerable level
Release
Initiating event
Barrier functions
Shut off inflow
Level above
critical limit
End event
Release / draining
Primary level
protection (PSD)
Safe state
Level reduced
Secondary level
protection
Release
Initiating event
Barrier functions
End event
Protection of
equipment
Falling object or
collision
Passive protection
of equipment
"Safe state"
Damage avoided
Release
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
11
ARTICLE IN PRESS
12
Acknowledgements
The author acknowledges Stein Hauge at SINTEF for
assistance during the project work, and personnel from
Hydro and members of BORA project group for useful
comments during the development of the release scenarios.
References
Aven, T., Sklet, S., & Vinnem, J. E. (2005). Barrier and operational risk
analysis of hydrocarbon releases (BORA-Release); Part I. Method
description. Journal of Hazardous Materials, submitted for publication.
Bellamy, L. J., Papazoglou, I. A., Hale, A. R., Aneziris, O. N., Ale, B. J.
M., Morris, M. I. et al. (1999). I-RISKdevelopment of an integrated
technical and management risk control and monitoring methodology for
managing and quantifying on-site and off-site risks. Main Report,
Contract No: ENVA-CT96-0243.
Botnevik, R., Berge, O., & Sklet, S. (2004). Standardised procedures for
work permits and safe job analysis on the Norwegian continental shelf.
SPE paper number 86629, Society of Petroleum Engineers.
CCPS. (1996). Inherently safer chemical processes: A life cycle approach.
New York: Center for Chemical Process Safety of the American
Institute of Chemical Engineers.
CCPS. (2001). Layer of protection analysis simplified process risk
assessment. New York: Center for Chemical Process Safety of the
American Institute of Chemical Engineers.
Davoudian, K., Wu, J.-S., & Apostolakis, G. E. (1994). Incorporating
organisational factors into risk assessment through the analysis of
work processes. Reliability Engineering and System Safety, 45, 85105.
DNV and RF (2002). Analysis of causes of process leaks. Pre study,
The Norwegian Petroleum Directorate, Rev. no. 01, Stavanger,
Norway, Det Norske Veritas report no. DNV 2002-4019 (in
Norwegian).
Duijm, N. J., & Goossens, L. (2005). Quantifying the inuence of safety
management on the reliability of safety barriers. Journal of Hazardous
Materials, in press, doi:10.1016/j.jhazmat.2005.07.014
Glittum, E. (2001a). Offshore leak frequencies. Porsgrunn, Norway: Norsk
Hydro Research Centre (in Norwegian).
Glittum, E. (2001b). Analysis of leak causes on Norsk Hydros platforms.
Norsk Hydro Research Centre: Porsgrunn, Norway (in Norwegian).
HSE (2001). HSE report: OSD hydrocarbon release reduction campaign,
report on the HC release incident investigation project1/4/200031/
3/2001, UK.
HSE (2002). HSE offshore hydrocarbon releases statistics and analysis
2002, UK.
Hurst, N. W., Bellamy, L. J., Geyer, T. A. W., & Astley, J. A. (1991).
A classication scheme for pipework failures to include human and
sociotechnical errors and their contribution to pipework failure
frequencies. Journal of Hazardous Materials, 26(2), 159186.
ISO/CD:14224 (2004). Petroleum, petrochemical and natural gas industriescollection and exchange of reliability and maintenance data for
equipment. Rev 2, Date: 2004-05-13, International Standardization
Organization.
ISO:10418. (2003). Petroleum and natural gas industriesoffshore production installationsbasic surface process safety systems. International
Standardization Organization.
Khan, F. I., & Abbasi, S. A. (2002). A criterion for developing credible
accident scenarios for risk assessment. Journal of Loss Prevention in the
Process Industries, 15, 467475.
OLF. (2004). Recommendations to operators to reduce hydrocarbon leaks.
Stavanger: The Norwegian Oil Industry Association.
Olson, J., Chockie, A. D., Geisendorfer, C. L., Vallario, R. W., & Mullen,
M. F. (1988). Development of programmatic performance indicators.
NUREG/CR-5241, PNL-6680, BHARC-700/88/022, US Nuclear
Regulatory Commission, Washington, DC, USA.
ARTICLE IN PRESS
S. Sklet / Journal of Loss Prevention in the Process Industries ] (]]]]) ]]]]]]
Papazoglou, I. A., Aneziris, O. N., Post, J. G., & Ale, B. J. M. (2003).
Technical modeling in integrated risk assessment of chemical installations. Journal of Loss Prevention in the Process Industries, 16, 575591.
PSA. (2003). The risk level on the Norwegian Continental Shelf 2002.
Stavanger: The Petroleum Safety Authority.
PSA. (2005). Trends in risk levelssummary report Phase 5 (2004).
Stavanger: The Petroleum Safety Authority.
Sklet, S. (2005). Safety barriers; denition, classication, and performance. Journal of Loss Prevention in the Process Industries, accepted
for publication.
Sklet, S., & Hauge, S. (2004). Safety barriers to prevent release of
hydrocarbons during production of oil and gas. Trondheim: SINTEF
Industrial Management Safety and Reliability.
13
Sklet, S., Steiro, T., Tjelta, O., (2005). Qualitative analysis of human,
technical and operational barrier elements during well interventions.
ESREL 2005, Tri City, Poland: Balkema.
Sklet, S., Vinnem, J. E., & Aven, T. (2005). Barrier and operational risk
analysis of hydrocarbon releases (BORA-Release); Part II. Results
from a case study. Journal of Hazardous Materials, submitted for
publication.
Vinnem, J. E., Aven, T., Hauge, S., Seljelid, J., & Veire, G.
(2004). Integrated barrier analysis in operational risk assessment
in offshore petroleum operations. PSAM7-ESREL04. Berlin:
Springer.
ien, K. (2001). Risk indicators as a tool for risk control. Reliability
Engineering & System Safety, 74(2), 129145.
Paper 3
Barrier and operational risk analysis of hydrocarbon releases (BORARelease); Part I Method description
Abstract
Investigations of major accidents show that technical, human, operational, as well as
organisational factors influence the accident sequences. In spite of these facts,
quantitative risk analyses of offshore oil and gas production platforms have focused
on technical safety systems. This paper presents a method (called BORA-Release)
for qualitative and quantitative risk analysis of the platform specific hydrocarbon
release frequency. By using BORA-Release it is possible to analyse the effect of
safety barriers introduced to prevent hydrocarbon releases, and how platform
specific conditions of technical, human, operational, and organisational risk
influencing factors influence the barrier performance. BORA-Release comprises the
following main steps; 1) Development of a basic risk model including release
scenarios, 2) Modelling the performance of safety barriers, 3) Assignment of generic
data and risk quantification based on these data, 4) Development of risk influence
diagrams, 5) Scoring of risk influencing factors, 6) Weighting of risk influencing
factors, 7) Adjustment of generic input data, and 8) Recalculation of the risk in order
to determine the platform specific risk related to hydrocarbon release. The various
steps in BORA-Release are presented and discussed. Part II of the paper presents
results from a case study where BORA-Release is applied.
Keywords: Risk analysis, hydrocarbon release, loss of containment, safety barrier,
organisational factors.
Introduction
In-depth investigations of major accidents, like the process accidents at Longford [1]
and Piper Alpha [2], the loss of the space shuttles Challenger [3] and Colombia [4],
the high-speed craft Sleiper accident [5], the railway accidents at Ladbroke Grove
[6] and sta [5], and several major accidents in Norway the last 20 years [7] show
that both technical, human, operational, as well as organisational factors influence
the accident sequences. In spite of these findings, the main focus in quantitative risk
analyses (QRA) is on technical safety systems. As regards offshore QRA, one of the
conclusions drawn by Vinnem et al [8] is that a more detailed analysis of all aspects
of safety barriers is required.
Several models and methods for incorporating organisational factors in QRA or
probabilistic risk assessments (PRA) have been proposed. Among these are Manager
[9], MACHINE (Model of Accident Causation using Hierarchical Influence
NEtwork) [10], ISM (Integrated Safety Method) [11], WPAM (The Work Process
Analysis Model) [12, 13], I-RISK (Integrated Risk) [14-16], the -factor model
[17], SAM (System Action Management) [18, 19], ORIM (Organisational Risk
Influence Model) [20, 21], and ARAMIS [22]. These models/methods have been
developed and described in the literature the last 15 years. However, none of them
are so far used as an integrated part of offshore QRA.
The Petroleum Safety Authority Norway (PSA) gives several requirements to risk
analysis and safety barriers in their regulations [23]: QRA shall be carried out to
identify contributors to major accident risk and provide a balanced and
comprehensive picture of the risk. The operator, or the one responsible for the
operation of a facility, shall stipulate the strategies and principles on which the
design, use, and maintenance of safety barriers shall be based, so that the barrier
function is ensured throughout the lifetime of the facility. It shall be known which
safety barriers that have been established, which function they are intended to fulfil,
and what performance requirements have been defined with respect to the technical,
operational or organisational elements that are necessary for the individual barrier to
be effective.
In spite of these requirements, the QRA of offshore platforms are still limited to
analysis of consequence reducing barriers with no, or limited analysis of barriers
introduced to reduce the probability of hydrocarbon release. Therefore, a method
that may be applied to analyse safety barriers introduced to prevent hydrocarbon
releases is required. The method ought to be used for qualitative and quantitative
analyses of the effect on the barrier performance, and thus the risk, of plant specific
conditions of technical, human, operational, as well as organisational risk
2
influencing factors (RIFs). With this background, the BORA-project (Barrier and
Operational Risk Analysis) was initiated in order to perform a detailed and
quantitative modelling of barrier performance, including barriers to prevent the
occurrence of initiating events (e.g., hydrocarbon release), as well as barriers to
reduce the consequences [24].
The main objective of this paper is to present and discuss a new method for
qualitative and quantitative analyses of the platform specific hydrocarbon release
frequency, called BORA-Release. BORA-Release makes it possible to analyse the
effect on the hydrocarbon release frequency of safety barriers introduced to prevent
release, and how platform specific conditions of technical, human, operational, and
organisational RIFs influence the barrier performance. The paper is limited to
analysis of hydrocarbon release (or loss of containment). However, the principles in
BORA-Release are relevant for analysis of the consequence barriers as well.
The paper is organized as follows. Section 2 describes the process for development
of the method. Section 3 describes BORA-Release. Section 4 discusses critical
issues of the method. The discussion is divided in three parts; a discussion of the
different steps in BORA-Release, a discussion of the extent of fulfilment of a set of
criteria, and a discussion of application areas. Some conclusions and ideas for
further work are presented in section 5. Part II presents some results from a case
study where BORA-Release is applied.
Research approach
Several criteria the BORA-Release should fulfil were developed. The criteria were
developed as a result of discussions of the purpose of the analysis method. The aim
was to develop a method that:
An assessment of the suitability of some existing risk analysis methods was carried
out in order to select an approach for analyses of the release scenarios. The
following methods were assessed; a) the current practice in QRA, b) fault tree
analysis, c) barrier block diagram (corresponds to event tree analysis), and d) an
overall influence diagram. The assessment was based on a discussion of advantages
and disadvantages of the different methods and an attempt to score the different
modelling techniques according to fulfilment of the former described criteria. The
assessment is shown in Table 1 where a score of 1 indicates not suitable, and a
score of 5 indicates very suitable.
Table 1. Comparison of various modelling approaches.
No. Criteria
Current Fault
QRA
tree
Barrier Overall
block Influence
diagram diagram
22
28
36
26
Based on this suitability assessment and the literature review, it was concluded to
apply barrier block diagrams to model the hydrocarbon release scenarios and fault
tree analyses and/or risk influence diagrams to model the performance of different
barrier functions (blocks in the barrier block diagram).
Description of BORA-Release
3.1
The first step is to develop a basic risk model that covers a representative set of
hydrocarbon release scenarios. The purpose is to identify, illustrate, and describe the
scenarios that may lead to hydrocarbon release on a platform. The basic risk model
forms the basis for the qualitative and quantitative analyses of the risk of
hydrocarbon release and the safety barriers introduced to prevent hydrocarbon
release. A representative set of 20 hydrocarbon release scenarios has been developed
and described [27]. Examples are Release due to mal-operation of valve(s) during
manual operations, Release due to incorrect fitting of flanges or bolts during
maintenance, and Release due to internal corrosion.
The basic risk model is illustrated by barrier block diagrams as shown in Figure 1.
A barrier block diagram consists of an initiating event, arrows that show the event
sequence, barrier functions realized by barrier systems, and possible outcomes. A
horizontal arrow indicates that a barrier system fulfils its function, whereas an arrow
downwards indicates failure to fulfil the function. In our case, the undesired event is
hydrocarbon release (loss of containment). A barrier block diagram corresponds to
an event tree and can be used as a basis for quantitative analysis.
Initiating event
(Deviation from
normal situation)
Barrier function
realized by a
barrier system
Safe state
Functions
Fails
Undesired event
An initiating event for a release scenario is the first significant deviation from a
normal situation that under given circumstances may cause a hydrocarbon
release (loss of containment). A normal situation is a state where the process
functions as normal according to design specifications without significant
process upsets or direct interventions into the processing plant.
A barrier function is defined as a function planned to prevent, control or mitigate
undesired events or accidents [28]. A barrier system is a system that has been
designed and implemented to perform one or more barrier functions. A barrier
system may consist of different types of system elements, for example, technical
elements (hardware, software), operational activities executed by humans, or a
combination thereof. In some cases, there may be several barrier systems that carry
out one barrier function.
Hydrocarbon release in this context is defined as gas or oil leaks (incl. condensate)
from the process flow, well flow or flexible risers with a release rate greater than 0,1
kg/s. Smaller leaks are called minor release or diffuse discharges.
3.2
The next step is to model the performance of safety barriers. The purpose of this
modelling is to analyse the plant specific barrier performance and allow for platform
specific analysis of the conditions of human, operational, organisational, and
technical factors. The safety barriers are described as separate boxes in the barrier
block diagrams. According to Sklet [28], the following attributes regarding
performance of safety barriers should be allowed for in the analysis; a) the triggering
event or condition, b) functionality or effectiveness, c) response time, d)
reliability/availability, and e) robustness.
Fault tree analysis is used for analysis of barrier performance in BORA-Release. The
generic top event in the fault trees in BORA-Release is Failure of a barrier
system to perform the specified barrier function. This generic top event needs to be
adapted to each specific barrier in the different scenarios. The results from the
qualitative fault tree analyses are a list of basic events and an overview of (minimal)
cut sets. Basic events are the bottom or leaf events of a fault tree (e.g., component
failures and human errors), while a cut set is a set of basic events whose occurrence
(at the same time) ensures that the top event occurs [29]. A cut set is said to be
minimal if the set cannot be reduced without loosing its status as a cut set.
3.3
In step three, the purpose is to assign data to the initiating events and the basic
events in the fault trees and carry out a quantitative analysis of the risk of
hydrocarbon release by use of these data (quantitative analysis of fault trees and
event trees). In practice, extensive use of industry average data are necessary to be
able to carry out the quantitative analysis. Several databases are available presenting
industry average data like OREDA [30] for equipment reliability data, and THERP
[31] and CORE-DATA [32, 33] for human reliability data (see [34] for an overview
of data sources). If possible, plant specific data should be applied. Plant specific data
may be found in, e.g., incident databases, log data, and maintenance databases. In
some cases, neither plant specific data nor generic data may be found, and it may be
necessary to use expert judgment to assign probabilities.
The quantification of the risk of hydrocarbon release is carried out by use of the
assigned data. The results of this calculation may to some degree reflect plant
specific conditions, however, most of the data are based on generic databases.
3.4
Step four is to develop risk influence diagrams. The purpose of the risk influence
diagram is to incorporate the effect of the plant specific conditions as regards
human, operational, organisational, and technical RIFs on the occurrences
(frequencies) of the initiating events and the barrier performance.
An example of a risk influence diagrams for the basic event Failure to detect leak in
the leak test which is influenced by four RIFs is shown in Figure 2. If necessary,
we have to develop one risk influence diagram for each basic event. The number of
RIFs influencing each basic event is limited to six in order to reduce the total
number of RIFs in the analysis.
Communication
Methodology
Procedures
for leak test
Competence
Due to the complexity and variation in the types of events considered, a combined
approach is preferred in order to identify RIFs; 1) a top-down approach where a
generic list of RIFs is used as a basis, and 2) a bottom-up approach where the events
to be assessed are chosen as a starting point. This implies that specific RIFs are
identified for each initiating event and each basic event from the generic list of RIFs.
The generic list may be supplemented by new RIFs when necessary.
A framework for identification of RIFs has been developed. The framework consists
of the following main groups of RIFs:
A more detailed taxonomy of generic RIFs as shown in Table 2 has been developed.
A brief explanation of each RIF is also included in the last column in the table. The
proposed RIF framework and the taxonomy of generic RIFs are based on a review,
comparison, and synthesis of several schemes of classification of human, technical,
and organisational (MTO) factors:
Classification of causes in methods for accident investigations, like MTOanalysis [35], and TRIPOD [36].
Classification of organisational factors in models for analysis of the
influence of organisational factors on risk, like I-RISK [14], and WPAM
[12, 37].
Classification of performing shaping factors (PSFs) in methods for human
reliability analysis (HRA), like THERP [31], CREAM [38], SLIM-MAUD
[39], and HRA databases CORE-DATA [40].
A draft version of the taxonomy of RIFs was applied and discussed in the case study
[26] and three specific RIFs were added to the list of RIFs in Table 2 based on
discussions in a workshop with platform personnel.
Table 2. Descriptions of risk influencing factors.
RIF group
RIF
RIF description
Personal
characteristics
Competence
Working load / stress Cover aspects related to the general working load on persons
(the sum of all tasks and activities)
Task
characteristics
Fatigue
Work environment
Methodology
Task supervision
Task complexity
Time pressure
Tools
Spares
Process complexity
HMI (Human
Machine Interface)
Maintainability/
accessibility
System feedback
Technical condition Cover aspects related to the condition of the technical system
10
RIF
Administrative Procedures
control
Organisational
factors /
operational
philosophy
3.5
RIF description
Cover aspects related to the quality and availability of
permanent procedures and job/task descriptions
Work permit
Disposable work
descriptions
Programs
Work practice
Supervision
Communication
Acceptance criteria
Simultaneous
activities
Management of
changes
We need to assess the status of the RIFs on the platform. The aim is to assign a score
to each identified RIF in the risk influence diagrams. Each RIF is given a score from
A to F, where score A corresponds to the best standard in the industry, score C
corresponds to industry average, and score F corresponds to worst practice in the
industry (see Table 3). The six-point scale is adapted from the TTS2 project [41].
11
Several methods for assessing organisational factors are described in the literature
(e.g., see [37]). Three approaches for assignment of scores of the RIFs are described
in this paper; 1) Direct assessment of the status of the RIFs, 2) Assessment of status
by use of results from the TTS projects, and 3) Assessment of status by use of results
from the RNNS3 project.
Direct assessment of the status of the RIFs in the risk influence diagrams may be
carried out in a RIF audit. Usually, a RIF audit is carried out by structured
interviews of key personnel on the plant and observations of work performance.
Useful aids are behavioural checklists and behaviourally anchored rating scales
(BARS) [37]. In addition, surveys may be used as part of the RIF audit as
supplement to the other techniques.
The TTS project proposes a review method to map and monitor the technical safety
level on offshore platforms and land-based facilities based on the status of safety
critical elements, safety barriers, and their intended function in major accidents
prevention [41]. The TTS project is based on a review technique using defined
performance requirements. The condition of safety barriers is measured against best
practices as well as minimum requirements. A number of examination activities are
defined and used to check each performance requirement, including document
reviews, interviews, visual inspections, and field tests. Performance standards are
developed for 19 areas, including the containment function, and each performance
standard contains a set of performance requirements divided in the four groups
function, integrity, survivability, and management. A six point scoring scheme is
used in the TTS project that may be directly transformed to the scores in Table 3.
Finally, the assessment of the status of the RIFs may be based on results from the
RNNS project [42] and accident investigations. The RNNS project includes a broad
3
12
3.6
Weighting of the RIFs is an assessment of the effect (or importance) the RIFs has on
the frequency of occurrence of the basic events. The weights of the RIFs correspond
to the relative difference in the frequency of occurrence of an event if the status of
the RIF is changed from A (best standard) to F (worst practice).
The weighting of the RIFs is done by expert judgment. In practice, the assessment of
the weights is based on a general discussion of the importance with platform
personnel and the analysts where the following principles are applied:
1. Determine the most important RIF based on general discussions
2. Give this RIF a relative weight equal to 10
3. Compare the importance of the other RIFs with the most important one, and
give them relative weights on the scale 10 8 6 4 2
4. Evaluate if the results are reasonable
The weights then need to be normalized as the sum of the weights for the RIFs
influencing a basic event should be equal to 1.
3.7
Further, the generic input data used in the quantitative analysis is adjusted. The
purpose is to assign platform specific values to the input data allowing for platform
specific conditions of the RIFs. The generic input data are revised based on the risk
influence diagrams through an assessment of the weights and the status of the RIFs.
The following principles for adjustment are proposed:
Let Prev(A) be the installation specific probability (or frequency) of occurrence of
event A. The probability Prev(A) is determined by the following procedure;
13
Prev ( A) = Pave ( A) wi Qi
(1)
i =1
w
i =1
=1
( 2)
Plow / Pave if s = A
Qi ( s ) = 1
if s = C
P / P if s = F
high ave
(3)
14
Qi ( B) =
Plow
+
Pave
( s B s A ) (1
Plow
)
Pave
(4)
sC s A
( s D sC ) (
Phigh
Pave
s F sC
Qi ( D) = 1 +
1)
(5)
10
9
8
7
6
5
4
3
2
1
0
1
Score
3.8
introduced to prevent hydrocarbon release. The revised risk picture takes the
platform specific conditions of technical, human, operational, and organisational
RIFs into consideration.
Discussion
The discussion is divided in three main parts. The first part contains a discussion of
the different steps in BORA-Release. Part two contains a discussion to what extent
the criteria presented in section 2 are fulfilled, while application areas of BORARelease are discussed in part three.
4.1
Discussion of BORA-Release
16
17
The framework used to identify RIFs and develop risk influence diagram consists of
characteristics of the personnel, the task, the technical system, administrative
control, and organisational factors/operational conditions. The framework is based
on a review, comparison, and synthesis of several schemes of classification of MTOfactors. While traditional performance influence factors (PIFs) as reviewed by Kim
and Jung [45] focuses on factors influencing human failure events, the RIF
framework presented in subsection 3.4 also includes factors influencing hardware
(system/component) failure events (e.g., material properties and program for
preventive maintenance).
However, the main groups in the RIF framework are similar to a model of the task
context of nuclear power plants described by Kim and Jung [45]. The main
difference is that we have defined an additional group called administrative control
including for example procedures, as Kim and Jung [45] include as part of the task.
Further, we have defined organisational factors/operational conditions as a separate
group (and not as part of the environment).
Experience from the case study indicates that the main groups in the framework are
adequate for identification of RIFs. But the list of generic RIFs in Table 2 may be
supplemented by more RIFs to cover all the basic events included in the analyses of
barrier performance. This implies that the list of generic RIFs may be a living
document that may be revised due to more experience by use of the list.
Scoring of risk influencing factors
A six-point score scheme is used for assignment of scores to the RIFs and the scores
are related to different levels in the industry. Three anchor points are defined where
score A corresponds to the best standard in the industry, score C corresponds to the
industry average standard, and score F corresponds to the worst practice in the
industry. The rationale behind is that industry average data reflects the industry
average standard as regards status of the RIFs. The argument for the misalignment
of the scores (A and B better than average, and D, E, and F worse than average) is
that the existing safety level within the industry is so high that the potential for
declining in the status is greater than the improvement potential.
Three approaches for giving scores to the RIFs are described. The approaches may
be used separately, or combined in order to assign scores. The first approach, direct
assessment of the status of the RIFs by a RIF-audit is the most resource demanding
approach. However, this approach may ensure a high validity4 of the assignment of
4
18
scores since the assessment of the specific RIFs is based on the risk influence
diagrams developed for each basic event. There is demand for development of aids
for execution of RIF audits, e.g., BARS with description of the reference levels for
scoring. Such aids will contribute to better consistence of the assignment of scores.
The second approach, assessment of status by use of results from the TTS projects,
uses existing data from a project carried out for several platforms on the Norwegian
Continental Shelf (NCS) so the use of resources will be limited. The scoring scheme
used in the TTS project also consists of a six-point scale, but the scores are related to
some performance criteria and not to the industry average level. However, the TTS
scores may be transformed to the BORA scores. There are some disadvantages of
this approach. The TTS projects are not carried out for all platforms on the NCS.
The main focus in the project is the status of technical aspects of the consequence
reducing barriers so limited knowledge may be collected about the organisational
factors. The TTS assessment may be carried out several years before the actual
analysis as the time aspect may cause that the data to be out-of-date. Finally, the
relevance of the data may be questionable since the original assessments have been
performed for another purpose. Thus, the results should be interpreted prior to use.
The third approach, use of results from the RNNS survey and accident investigations
has been applied during the case study. The main advantage is the availability of
platform specific results form the survey on all platforms on the NCS. However,
there are several disadvantages with this approach. The main disadvantage is the low
validity since the scores are assigned based on questions from a questionnaire not
developed for this purpose where the questions are rather general and not specific
for the specific RIFs. As an example, the RIF Time pressure will be given the
same score for all activities on the platform regardless of who, when, or where the
activity is carried out. The survey is carried out every second year as the results from
the last survey may not be up to date when the data are applied. The last aspect is
that the answers in the survey may be influenced by other factors, e.g., general
dissatisfaction with the working conditions not relevant for the analysed RIF.
The credibility of the status assessment is one important aspect to consider when
selecting approach for scoring of RIFs. As a rule of thumb, we may say that more
specific, detailed, and resource demanding the assessment of the RIF status are, the
more credible are the results. However, the use of resources should be balanced
against the argument from the representatives from the oil companies that it is
important to use existing data in order to minimize the use of resources.
19
20
of the influence of RIFs (i.e., the qualitative analysis) are important results in itself
independent of the quantitative results.
4.2
Fulfilment of criteria
21
collected on the British sector [32, 33], but it has been necessary to use data from the
nuclear industry in the case study.
The focus of the next criterion is consideration of different activities, phases, and
conditions in the analysis. So far, the focus has been on failures introduced during
normal production, maintenance, shutdown, and start-up within the operational
phase of the life-cycle of a platform, and safety barriers introduced to prevent
releases due to such failures. Latent failures from the design phase and safety
barriers aimed to prevent such failures has not been analysed.
Criterion seven states that the method should enable identification of common
causes and dependencies. This aspect is taken into account in Section 5.
Criterion eight deals with practical applicability with respect to use of resources.
Unfortunately, to carry out a comprehensive analysis of the complex reality in a
process plant is resource demanding. If the analysis shall give adequate support
during the decision-making process the level of detail of the analysis need to reflect
the reality on the platform. However, it may be possible to carry out less
comprehensive analysis of specific problem areas on the platform with less use of
resources.
The last criterion states that the method shall provide a basis for re-use of the
generic model. If a generic risk model is developed, it will be manageable to carry
out some installation specific considerations about the status on each platform, and
to carry out simple comparisons with other platforms (e.g., practice regarding
operational barriers as third party control of work or status of the RIFs).
4.3
Application of BORA-Release
22
The qualitative analysis of the release scenarios including the safety barriers
generates knowledge about factors influencing the frequency of hydrocarbon release
within the process plant even though no quantitative analysis is carried out. This
knowledge may support decisions of importance for the future performance of the
safety barriers.
Although BORA-Release may be used to calculate platform specific hydrocarbon
release frequencies, the main area of application is not the release frequency itself,
but use of the model to assess the effect of risk reducing measures and risk
increasing changes during operations. Sensitivity analysis may be carried out in
order to analyse the effect of changes in technical, human, operational, as well as
organisational RIFs. Focus on relative changes in the release frequency instead of
absolute numbers may increase the credibility to the results. In addition, the effect of
introduction of new safety barriers may be analysed. The results from a case study
where BORA-Release was used to analyse several release scenarios showed that the
model is useful to analyse the effect of different risk reducing measures [26].
23
develop behaviourally anchored rating scales (BARS) or similar aids that may be
used as basis for the RIF-audits.
Lack of relevant data, especially for human error probabilities on offshore platforms
is a challenge. There may be need for collecting new types of data that are not
available in existing databases. However, collection of data are resource demanding
and it may be difficult to initiate such projects.
A high number of RIFs are listed in Table 2. Further work should be initiated in
order to improve the descriptions and assess whether the total number of RIFs may
be reduced, e.g., by combining two of the RIFs into one new RIF.
Events in BORA-Release are considered independent conditional of the RIFs.
Independence could be questioned, however, it is likely to be sufficiently accurate
from a practical point of view.
There may be interaction effects among the RIFs influencing one basic event.
Interaction effects mean that a RIF will have a different effect on the basic event,
depending on the status of another RIF (positive correlation), e.g., if the competence
of personnel is poor, it will be even more serious if the quality of procedures also is
poor. A simple approach is suggested for analysis of interaction effects among RIFs
in BORA-Release. If two or more RIFs are assumed to interact, and the status are
worse than average (D, E, or F), the score of one of them is reduced one category
(e.g., from D to E). Similarly, if the scores of two interacting RIFs are better than
average, the score of one of the RIFs is increased one category (from B to A).
However, more sophisticated methods should be assessed as part of future research,
e.g., use of Bayesian belief networks to more accurately model the interactions
between the RIFs (see e.g., [20]).
Development of a risk model including safety barriers that may prevent, control, or
mitigate accident scenarios with in-depth modelling of barrier performance allows
explicit modelling of functional common cause failures (e.g., failures due to
functional dependencies on a support system). However, further research will be
carried out to assess the effect of residual common cause failures that may lead to
simultaneous failures of more than one safety barrier, for example errors introduced
during maintenance (e.g., calibration) that may cause simultaneous failures of
several types of detectors (e.g., gas detectors and fire detectors).
One basis for BORA-Release is the assumption that the average standard of RIFs
corresponds to generic input data and better standard on the RIFs than average lead
24
Acknowledgement
The development of BORA-Release has been carried out as part of the BORAproject financed by the Norwegian Research Council, The Norwegian Oil Industry
Association, and Health and Safety Executive in UK. The authors acknowledge
personnel from the steering committee that have commented on the preliminary
version of BORA-Release.
References
[1] Hopkins, A., Lessons from Longford: the Esso gas plant explosion, CCH
Australia Ltd, Sydney, 2000.
[2] Cullen, W. D., The public inquiry into the Piper Alpha disaster, Hmso, London,
1990.
[3] Vaughan, D., The Challenger launch decision : risky technology, culture, and
deviance at NASA, University of Chicago Press, Chicago, 1996.
[4] CAIB, The Colombia Accident Investigation Board Report - Volume 1,
http://www.caib.us/, 2003.
[5] NOU, staulykken, 4. januar 2000., Justis- og politidepartementet, Oslo,
Norge, 2000.
[6] Cullen, W. D., The Ladbroke Grove Rail Inquiry: Report, Part 1, HSE Books,
United Kingdom, 2001.
[7] Sklet, S., Storulykker i Norge de siste 20 rene, In Lydersen, S. (eds), Fra flis i
fingeren til ragnarok, Tapir Akademisk Forlag, Trondheim, 2004.
25
[8] Vinnem, J. E., Aven, T., Hundseid, H., Vassmyr, K. A., Vollen, F. and ien,
K., Risk assessments for offshore installations in the operational phase, ESREL
2003, Maastricht, The Netherlands, 2003.
[9] Pitblado, R. M., Williams, J. C. and Slater, D. H., Quantitative Assessment of
Process Safety Programs, Plant/Operations Progress. 9, 3 (1990).
[10] Embrey, D. E., Incorporating management and organisational factors into
probabilistic safety assessment, Reliability Engineering and System Safety. 38,
1-2 (1992) 199 - 208.
[11] Modarres, M., Mosleh, A. and Wreathall, J. A., Framework for assessing
influence of organisation on plant safety, Reliability Engineering & System
Safety. 45 (1994) 157 - 171.
[12] Davoudian, K., Wu, J.-S. and Apostolakis, G. E., Incorporating organisational
factors into risk assessment through the analysis of work processes, Reliability
Engineering and System Safety. 45 (1994) 85-105.
[13] Davoudian, K., Wu, J.-S. and Apostolakis, G. E., The work process analysis
model (WPAM-II), Reliability Engineering and System Safety. 45 (1994) 107
- 125.
[14] Bellamy, L. J., Papazoglou, I. A., Hale, A. R., Aneziris, O. N., Ale, B. J. M.,
Morris, M. I. and Oh, J. I. H., I-RISK - Development of an Integrated Technical
and Management Risk Control and Monitoring Methodology for Managing and
Quantifying On-Site and Off-Site Risks. Main Report. Contract No: ENVACT96-0243, 1999.
[15] Papazoglou, I. A., Aneziris, O. N., Post, J. G. and Ale, B. J. M., Technical
modeling in integrated risk assessment of chemical installations, Journal of
Loss Prevention in the Process Industries. 15, 6 (2002) 545 - 554.
[16] Papazoglou, I. A., Bellamy, L. J., Hale, A. R., Aneziris, O. N., Post, J. G. and
Oh, J. I. H., I-Risk: development of an integrated technical and Management
risk methodology for chemical installations, Journal of Loss Prevention in the
Process Industries. 16 (2003) 575 - 591.
[17] Mosleh, A. and Goldfeiz, E. B., An Approach for Assessing the Impact of
Organisational Factors on Risk, Technical research report, CTRS, A. James
Clark School of Engineering, University of Maryland at College Park, 1996.
[18] Murphy, D. M. and Pat-Cornell, E. M., The SAM Framework: Modeling the
Effects of Management Factors on Human Behavior in Risk Analysis, Risk
Analysis. 16, 4 (1996).
[19] Pat-Cornell, E. M. and Murphy, D. M., Human and management factors in
probabilistic risk analysis: the SAM approach and observations from recent
applications, Reliability Engineering and System Safety. 53 (1996) 115 - 126.
[20] ien, K., A framework for the establishment of organizational risk indicators,
Reliability Engineering & System Safety. 74, 2 (2001) 147-167.
26
27
28
Paper 4
Barrier and operational risk analysis of hydrocarbon releases (BORARelease); Part II Results from a case study
Abstract
This paper presents results from a case study carried out on an oil and gas
production platform with the purpose to apply and test BORA-Release, a method for
barrier and operational risk analysis of hydrocarbon releases. A description of the
BORA-Release method is given in part I of the paper. BORA-Release is applied to
express the platform specific hydrocarbon release frequencies for three release
scenarios for selected systems and activities on a specific platform. The method is
used to analyse the effect on the release frequency of safety barriers introduced to
prevent hydrocarbon releases, and to study the effect on the barrier performance of
platform specific conditions of technical, human, operational, and organisational risk
influencing factors (RIFs). BORA-Release is also used to analyse the effect on the
release frequency of several risk reducing measures.
Keywords: Risk analysis, hydrocarbon release, loss of containment, safety barrier,
organisational factor.
Introduction
The Petroleum Safety Authority Norway (PSA) focuses on safety barriers in their
regulations relating to management in the petroleum activities [1] and requires that it
shall be known what barriers have been established, which function they are
1
intended to fulfil, and what performance requirements have been defined with
respect to technical, operational, and organisational elements that are necessary for
the individual barrier to be effective.
These requirements and a recognition of the insufficient modelling of human,
operational, and organisational factors in existing quantitative risk analyses (QRA)
were the background for the BORA project [2]. The aim of the BORA project is to
perform a detailed and quantitative modelling of barrier performance, including
barriers to prevent the occurrence of initiating events (like hydrocarbon release) as
well as consequence reducing barriers. One of the activities in the BORA project has
been to develop BORA-Release, a method suitable for qualitative and quantitative
analyses of hydrocarbon release scenarios [3, 4]. The method has been tested in a
case study on a specific oil and gas producing platform. The purpose of the case
study was to determine the platform specific hydrocarbon release frequencies for
selected systems and activities for selected release scenarios and assess whether or
not BORA-Release is suitable for analyzing the effect of risk reduction measures
and changes that may increase the release frequency.
The main objective of the present paper is to present and discuss the results from a
case study on an oil and gas production platform on the Norwegian Continental
Shelf applying BORA-Release. BORA-Release has been used to analyse the release
frequency considering the effect of safety barriers introduced to prevent
hydrocarbon release and analyse the effect on the barrier performance of platform
specific conditions of technical, human, operational, as well as organisational risk
influencing factors (RIFs).
This paper contains four main sections where this first section describes the
background and the purpose of the paper. The next section explains how the case
study was carried out, the basis for the case study with respect to selection of release
scenarios for detailed analysis, and relevant descriptions of the technical systems,
operational activities, and conditions. Section three presents the results from the
qualitative and quantitative analyses of the selected scenarios and the overall results.
A discussion of the results and experiences from the case study, and some
conclusions are presented in section four.
a flowline inspection. The leak test is a routine operation for the area technicians as
no procedure describes the activity, but the result from the final (successful) leak test
is documented in the platform log book.
A hierarchical task analysis (HTA) was performed for the flowline inspection
activity in order to get an understanding of the work process. The top structure of the
HTA is shown in Figure 1. The detailed HTA was reviewed by operational
personnel and discussed in a workshop.
0
Flowline inspection
Plan 0: 1 trigger (2 - 8 in order)
1
Plan work
onshore
2
Plan work
offshore
3
Preparation/
well shutdown
4
Disassemble
flowline
5
Inspect
flowline
6
Assemble
flowline
7
Perform
leak test
8
Start up
production
The process segment between the separator and the pipeline was selected as analysis
object for the corrosion scenario. This segment is mainly made of carbon steel and
the pipes are not insulated. The pressure is 13 20 bars upstream of the production
pump, and 23 35 bars on the downstream side of the pump. The temperature varies
from 70 C in the main flow pipes to 10 C in the dead legs.
In order to develop and make detailed descriptions of the release scenarios, two
workshops were arranged. Draft descriptions of the release scenarios based on
review of documentation were developed prior to the workshops as basis for
discussion. Scenario A and B were discussed in the first workshop and scenario C
was discussed in the second workshop. Operational personnel from the platform and
safety specialists from the company attended the first workshop while corrosion
specialists from the oil company also attended the second workshop.
The analyses of scenario A and B were carried out strictly according to the general
method description and are described in the following. The analysis of scenario C
differed somewhat from the general method description and is described afterwards.
Two additional workshops, with operational personnel from the platform and safety
specialists from the oil company, were arranged in order to model the performance
of the safety barriers, and to identify and weight the RIFs for scenarios A and B. The
RIF-framework described in [3] was used as basis for the identification of RIFs. The
weights were established by common agreement from discussions in the workshop.
4
The most important RIF for each basic event was identified and assigned a relative
weight equal to 10. Thereafter, the other RIFs were given weights relative to the
most important one on the scale 10 8 6 4 2.
The generic input data were discussed in the workshops and some input data were
established based on discussions during the workshops. The assignment of industry
average data for human errors was primarily based on data from THERP ([6]).
The scoring of the RIFs was based on secondary analysis of answers on a
questionnaire from a survey of the risk level on the Norwegian Continental Shelf
(RNNS-project) [7]. Further information about the scoring is given in [8].
Revised input data were established by the analysts as described in the method
description [3] using the formula:
n
Prev ( A) = Pave ( A) wi Qi
(1)
i =1
w
i =1
=1
( 2)
The revised platform specific data were used as input in the risk model in order to
recalculate the release frequencies for the selected scenarios.
The analysis of scenario C was carried out somewhat different. The two main
differences were; 1) An overall RIF-analysis was not carried out, but the effects of
changes were studied based on sensitivity analyses, and 2) Fault tree analysis was
not used for quantitative analysis of the inspection effectiveness. The performance
of the safety barrier inspection was analysed based on a method described by API
[9], and assessment of the practice on the platform. Several workshops were
arranged to discuss the model used for analysis of the corrosion scenario and the
current status of corrosion and inspection on the platform. In addition, results from
the last inspection were reviewed in order to predict the corrosion rate within the
system.
5
3
3.1
Release due to valve(s) set in wrong position after flowline inspection may occur if the area
technician forget to close some SP valves prior to start up of production.
Initiating event
During maintenance, i.e., while disconnecting hoses after the leak test.
Operational mode at time of release
Barrier systems
The release may be prevented if the The release may be prevented if the
following barrier functions are fulfilled:
following barrier systems function:
Detection of valve(s) in wrong position
System for self control / use of checklist
in order to detect possible valve(s) in fail
position.
System for 3rd party control of work
(actually, no 3rd party control of work is
required in this scenario).
Assumptions
On the flowline system, SP1- and SP2-valves may be in wrong position after the flowline
inspection. In addition, the two valves on the closed drain system connected to the hoses
may be in wrong position after the inspection.
The area technician operates these valves (depressurization, draining, and pressurization
during the leak test).
There is no 3rd party control of the work performed by the area technician.
It is assumed that corrective action is carried out if a valve is revealed in wrong position.
These valves are used during the leak test where the purpose is to test the tightness of the
flanges, and the valves may be left in open position after the leak test.
A leak due to an open valve on the flowline system will most probably be detected during
start-up of normal production, either manually by the area technician, or automatically by
gas detectors in the area. The area technician will stay in the wellhead area during start up
of production and may manually close the open SP-valve, or close the choke valve.
The barrier block diagram for scenario A is shown in Figure 2. The fault trees for the
safety barriers Self control of work (A1) and 3rd party control of work (A2) are
6
illustrated in Figures 3 and 4. Further, the risk influence diagrams for the basic
events A02 (see Table 1), A11, A12, and A13 are shown in Figures 5, 6, 7 and 8,
respectively.
Initiating event
Barrier functions
End event
Detection of valve(s)
in wrong position
A0
Valve(s) in wrong
position after
maintenance
A1
Safe state
Failure revealed
and corrected
A2
A11
A12
Failure to perform
3rd party control of
work
Checker fails to
detect a valve in
wrong position
A23
A21
A22
A02
WIE A022
WIE A021
Process
complexity
Maintainability/
accessibility
Accessibility to valves
Space to perform work
operations
WIE A023
WIE A024
HMI
Labelling of flowlines
Labelling of valves
(Procedure Labelling of
valves with red lap)
Time pressure
Time disposal
Perceived time pressure
Simultaneous activities
A11
Program for
self control
WIE A025
Competence
of area
technician
Experience on platform
Use of contractors
WIE A026
Work permit
A12
WB A121
WB A122
Work practice
Time pressure
Work permit
Practice regarding
whether self control/
checklists are used
WB A121
A13
WB A132
WB A131
HMI
Maintainability/
accessibility
Accessibility to the
valves on flowline
system
WB A133
WB A134
Competence
of area
technician
Time pressure
Experience
System knowledge
Training
WB A135
WB A136
Procedures for
self control
Work permit
Table 1 summarizes all input data, weights, scores for all RIFs, and the adjustment
factors (MF) for scenario A.
Table 1. Scenario A Generic input data, weights, scores, and revised input data.
Basic
Pave
Plow
event
A01 nA = 28
A02
0.003 0.001
A11
0 3)
A12
0.010
0.003
A13
0.33
0.066
A21
1.0 4)
A22
0.01
0.002
A23
0.1
0.02
Basic event /
wi
si 1)
RIF
No. of flowline inspections per year
0.009 P(valve(s) in wrong position after maintenance)
A021 Process complexity
2
C
A022 Maintainability/accessibility
2
C
A023 HumanMachine interface
2
D
(HMI)
A023 Time pressure
10
D
A024 Competence of area technician 10
C
A025 Work permit
2
C
P(Failure to specify self control)
A11 Program for self control
0.030 P(Failure to perform self control when specified)
A121 Work practice
10
D
A122 Time pressure
10
D
A123 Work permit
6
C
0.66 P(Failure to detect valve in wrong pos. by self
control)
A131 HMI
2
D
A132 Maintainability/accessibility
2
C
A133 Time pressure
10
D
A134 Competence of area technician 10
C
A135 Procedures for self control
2
C
A136 Work permit
4
C
P(Failure to specify 3rd party control)
A211 Program for 3rd party control
0.05 P(Failure to perform 3rd party control of work)
A221 Work practice
10
D
A222 Time pressure
10
D
A223 Work permit
6
C
0.5 P(Checker fails to detect valve in wrong position)
A231 HMI
2
D
A232 Maintainability/accessibility
2
C
A233 Time pressure
10
D
A234 Competence of area technician 10
C
A235 Procedures for self control
2
C
A236 Work permit
4
C
Phigh
1)
MF 2)
Prev
1.29
0.0039
1.51
0.015
1.13
0.37
2.03
0.02
1.53
0.15
10
The results from the quantitative analysis of the release frequency due to valve(s) in
incorrect position after flowline inspection are shown in Table 2. The release
frequency due to valve(s) in wrong position after flowline inspection by use of
generic input data is 0.028 per year, while the corresponding frequency by use of
adjusted input data allowing for platform specific conditions of the identified RIFs is
0.041 per year. This implies an increase in the release frequency by 46 % from
scenario A by use of the revised input data. The frequency of the initiating event has
increased by 28 % (from 0.084 to 0.11 per year), while the probability of failure of
barrier A1 (self control) has increased by 14 % (from 0.34 to 0.38).
Table 2. Scenario A Results from calculations.
Event
Generic data
f(A0) 1)
0.084
2)
PFailure(A1)
0.34
1.0
PFailure(A2) 3)
0.028
A 4)
Revised data
0.11
0.38
1.0
0.041
1)
3.2
Scenario B
11
System for leak tests may reveal potential failures prior to start up of
production. The leak test may be carried out in two ways: 1) by use of
glycol/water or 2) by use of injection water.
The results from scenario B are not described as detailed as the results from scenario
A since the principles in the method already is illustrated, but the barrier block
diagram for scenario B is shown in Figure 9. Neither the fault trees of the barriers,
nor the risk influence diagrams are shown since the principles are similar as used in
scenario A.
Initiating event
Barrier functions
Detection of release
Detection of incorrect
prior to normal
fitting of flanges
producton
End event
B0
Incorrect fitting of
flanges during
maintenance
B1
Safe state
Failure revealed
and corrected
Self-control of
work
B2
3rd party
control of work
B3
Leak test
Release
Table 3 summarizes all input data, weights, scores for all RIFs, as well as the
adjustment factors for scenario B.
12
B11
1.0 1)
B12
0.010
0.003
B13
0.33
0.066
B21
1.0 2)
B22
0.01
0.002
B23
0.1
0.02
B31
1.0 3)
B32
0.01
0.002
B33
0.03
0.006
Phigh
Basic event/
wi
si
RIF
No. of flowline inspection per year
0.15 P(Incorrect fitting of flange or bolts)
B021 Process complexity
2
C
B022 Maintainability/accessibility
2
C
B023 Task complexity
10
C
B024 Time pressure
6
D
B025 Competence of mechanician
10
C
P(Failure to specify self control)
B111 Program for self control
0.030 P(Failure to perform self control when specified)
B121 Work practice
10
D
B122 Time pressure
10
D
B123 Work permit
6
C
0.66 P(Failure to reveal incorrect fitting by self control)
B131 HMI
2
D
B132 Maintainability/accessibility
2
C
B133 Time pressure
6
D
B134 Competence of mechanician
10
C
B135 Procedures for self control
10
C
P(Failure to specify 3rd party control of work)
B211 Program for 3rd party control
0.05 P(Failure to perform 3rd party control of work)
B221 Work practice
10
D
B222 Time pressure
10
D
B223 Work permit
6
C
0.5 P(Checker fails to detect incorrect fitting)
B231 HMI
2
D
B232 Maintainability/accessibility
2
C
B233 Time pressure
4
D
B234 Competence of checker
10
C
B235 Procedures for 3rd party control
4
C
B236 Work permit
4
C
P(Failure to specify leak test)
B311 Program for leak test
0.05 P(Failure to perform leak test when specified)
B321 Work practice
10
D
B322 Time pressure
10
D
B323 Work permit
6
C
0.15 P(Failure to detect incorrect fitting by leak test)
B331 Communication
10
D
B332 Methodology
2
C
B333 Procedures for leak test
2
C
B334 Competence of area technician
10
C
1)
MF
Prev
1.27
0.038
1.51
0.015
1.09
0.36
2.03
0.02
1.31
0.13
2.03
0.02
1.56
0.047
Self control is specified in this case as the probability of failure to specify self control is 0.
3rd party control of work is not specified as the probability of failure to specify 3rd party control is 0.
3)
Leak test is specified in this case, as the probability of failure to specify leak test is 0.
2)
13
The results from the quantitative analysis of scenario B are shown in Table 4. The
release frequency due to incorrect fitting of flanges or bolts during flowline
inspection is 0.0012 per year by use of generic input data. The corresponding release
frequency by use of adjusted input data allowing for platform specific conditions of
the RIFs is 0.0038 per year. Consequently, the release frequency due to scenario B
has increased by 214 %. The frequency of the initiating event (No. of valves in
incorrect position after inspection) has increased by 27 % from 0.84 to 1.064 per
year. The probability of failure to detect release by self control has increased by 10
% (from 0.34 to 0.37) and the probability of failure to detect release by 3rd party
control has increased by 36 % from 0.11 to 0.15. Finally, the probability of failure to
detect release by leak test has increased by 66 % from 0.040 to 0.066.
Table 4. Scenario B Results from calculations.
f(B0) 1)
PFailure(B1) 2)
PFailure(B2) 3)
PFailure(B3) 4)
B 5)
Generic data
0.84
0.34
0.11
0.040
0.0012
Revised data
1.064
0.37
0.15
0.066
0.0038
1)
3.3
Scenario C
14
Scenario name
Releases caused by internal corrosion. The relevant types of internal corrosion within the
actual system on the platform are:
a) CO2-corrosion (local and uniform)
b) Microbial Influenced Corrosion (MIC)
Other types of corrosion like H2S-corrosion are not considered to be a problem on the
platform.
Two corrosion groups (CG) are defined within the actual system; CG1) Main flow pipes and
CG2) Dead legs.
Initiating event
The initiating event for this scenario is Corrosion rate due to internal corrosion beyond
critical limit. Quantitatively, the initiating event is defined as Number of leaks per year due
to corrosion if no safety barriers or corrective actions are implemented.
Factors influencing the initiating event
Barrier systems
The release may be prevented if the following The release may be prevented if the following
safety functions are fulfilled:
safety barriers function:
Detection of internal corrosion to prevent
System for inspection to detect potential
release
corrosion.
System for condition monitoring of
equipment to detect potential corrosion.
Detection of diffuse or minor hydrocarbon
System for area based leak search may
release
detect diffuse discharges before they
develop into significant leaks.
System for detection of minor
hydrocarbon (HC) releases (automatic or
manual gas detection) may detect minor
releases before they develop into
significant leaks.
Assumptions
Critical limit is defined as damage rate (d) greater than critical damage rate (dcritical). This
damage rate will result in wall thickness (t) less than wall thickness when release is
expected (trelease) before next inspection.
A rate model is applied for both CO2-corrosion and MIC.
15
Figure 10 shows a barrier block diagram for the release scenario Release due to
internal corrosion.
16
Internal corrosion
beyond critical
limit
Barrier functions
Detection of
Detection of
diffuse or minor
internal corrosion
release
C1
End event
Inspection
Safe state
Internal corrosion
revealed
Condition
monitoring
Safe state
Revision of
analysis
C2
C3
Diffuse
Minor
System for
hydrocarbon
detection
Significant
Safe state
Diffuse discharge
revealed
Safe state
Minor release
revealed
Release
Figures 11 13 show the basic fault tree modelling of the safety barriers inspection
(C1), condition monitoring (C2), and area based leak search (C3) illustrated in the
barrier block diagram in Figure 10. The system for detection of hydrocarbons has
not been analysed any further in the case study. In principle, the barriers are equal
for both corrosion groups, however, the quantitative analysis is different.
17
Inspection fails to
detect corrosion rate
beyond critical limit
Failure to perform
inspection
Inspection not
specified in program
Inspection specified,
but not performed as
planned
C11
C12
C13
C14
C15
C2
Condition monitoring
fails to detect
corrosion beyond
critical limit
Failure to perform
condition monitoring
Condition monitoring
not specified in
program
Condition monitoring
specified, but not
performed as planned
C21
C22
C23
C24
Figure 12. Fault tree for barrier no. C2, condition monitoring.
18
Failure to perform
daily inspection
Failure to perform
area based leak
search
C33
C36
Daily inspection
specified, but not
performed
C31
C32
C34
C35
Figure 13. Fault tree for barrier no. C3, area based leak search.
19
0C
Inspection
Condition
monitoring
Area based
leak search
System for
HC detection
Safe state
P Success(C1)
Corrosion beyond
critical limit
C1
P Failure(C1)
Safe state
Revision of analysis
P Success(C2)
C2
Safe state
Diffuse discharge
revealed
P Failure (C2)
P Success(C3)
Diffuse release (25 %)
C3
P Failure(C3)
Significant release
P Success(C4)
Safe state
Minor release
revealed
C4
P Failure(C4)
Significant release
Significant release
Safe state means that the damage rate is under control and corrective actions will be
implemented before a release occurs.
The damage rate is often denoted as corrosion rate.
20
t release =
q0 qrelease
d
(3)
The damage rate d is unknown, but may be predicted e.g., by using measurements
from inspections.
If d denotes the predicted damage rate, a prediction of trelease, t release may be
determined from the following;
q qrelease
trelease = 0
d
( 4)
d d
In this case we will not have release before t release (because trelease t release).
As ti 0.5 t release , we have trelease ti+1 . Thus, even if the first inspection (ti) is
cancelled, an inspection (ti+1) will take place before release will occur.
d ( d , 2 d ]
s2 Predicted rate to two times rate
In this case trelease > ti, but ti+1 trelease. A release may occur if an inspection is
delayed or cancelled.
d > 2 d
s3 Two to four times predicted rate
In this case, trelease < ti , and a release will occur prior to the first inspection.
21
Hence, the probability of failure to reveal that the actual damage rate is greater than
the critical damage rate (d > dcritical) by inspection may as an approximation be
expressed as;
(5)
where P(delayed) expresses the probability that the planned inspection at time ti is
delayed or cancelled. In formula (5), P(delayed) corresponds to the probability of
occurrence of basic event C12 in Figure 11, while P(s3) denotes the probability of
occurrence of basic event C13. The effect of poor inspection reliability (basic event
C14 and basic event C15) is not included in the quantification process in this case
study. However, this may be included as part of further work.
Our confidence in the predicted damage rate ( d ) is important by use of this formula.
API [9] describes how to calculate the effect of the inspection program on the
confidence level in the damage rate and presents data for the confidence in predicted
damage rates prior to an inspection, the likelihood that the inspection results
determine the true damage state, and the confidence in damage rate after inspections.
As mentioned above, the frequency of the initiating event ( 0C ) in Figure 14
expresses a prediction of the release frequency per year due to corrosion if no safety
barriers are functioning or corrective actions are implemented from today. The
frequency 0C is calculated as the number of segments with t release less than 10 years
divided by 10 years. The time limit has been set to 10 years since the maximum
permissible inspection interval is 5 years and ti 0.5 t release. The prediction of 0C
is based on results from the last inspection on the platform and is calculated to be 2.2
per year. This frequency is based on a prediction of the damage rate ( d ). Therefore,
a consequence of changes in d is that 0C must be recalculated. We need to
calculate 0C for each of the defined corrosion groups, where 0C CG 1 relates to
corrosion group 1 Main flow pipes, and 0C CG 2 related to corrosion group 2 Dead
legs. Based on a rough calculation, the following numbers were used in this case
study:
0C CG 1 = 0.8 leaks/year,
0C CG 2 = 1.4 leaks/year
22
In order to quantify the expected release frequency per year due to internal
corrosion, quantitative numbers should be assigned to the input in formula (1) and
all basic events in the fault trees in Figure 12 and Figure 13. The assigned numbers
are presented in Table 5 both for corrosion group 1 and corrosion group 2.
Table 5. Corrosion; Summary of generic input data.
Event
notation
Event description
C0 CG 1 / 2
1)
0.1
Rough calculation
0.11 2)
0.047 3)
0.24
0.14
0 4)
0.1
0.1
0.4
1.0 5)
Expert judgment
0.6
0.6
Expert judgment
0 6)
Expert judgment
0.1
0.1
Rough calculation
0.9
0.9
Expert judgment
0 7)
Expert judgment
0.1
0.1
Rough calculation
0.75
0.75
Expert judgment
0.2 8)
0.2 8)
Rough calculation
Expert judgment
Rough calculation
23
Based on the described models and the data in Table 5, the probabilities of failures
of the different barriers and expected release frequencies per year are calculated as
shown in Table 6. The annual hydrocarbon release frequency due to internal
corrosion in the system is 0.043 releases per year.
Table 6. Scenario C results from calculations.
Event
1)
0C
CG 1
0.8
CG 2
1.4
PFailure(C1) 2)
PFailure(C2) 3)
PFailure(C3) 4)
PFailure(C4) 5)
C 6)
0.12
0.32
0.71
0.2
0.016
0.056
0.64
0.71
0.2
0.027
1)
The main approach in order to analyse the effect of RIFs (technical conditions,
human factors, operational conditions and organisational factors) is use of risk
influence diagrams as applied for scenario A and B. Qualitative analyses by
developing risk influence diagrams has been carried out for a sample of basic events
in the fault trees for scenario C in order to carry out sensitivity analysis for
assessment of the effect of risk reducing measures, but there has not been performed
a complete quantitative analysis of all the risk influence diagrams. A somewhat
different approach has been used to analyse the efficiency of inspection programs
quantitatively. As previously described, the expected release frequency due to
corrosion depends on our confidence to the predicted damage rate. The confidence
to the predicted damage rate depends on the inspection efficiency; a highly efficient
inspection program will give a higher confidence than a fairly efficient inspection
program. The relation between the inspection program and its efficiency for local
CO2 corrosion and MIC are described in the literature [9, 10]. The confidence will
also depend on the inspection reliability (basic events C14 and C15 in Figure 11).
C14 was not analysed any further in the case study, while C15 was analysed
qualitatively by a risk influence diagram (see Figure 15). Risk influence diagrams
for basic event C33 and C36 is shown in Figure 16 and Figure 17 respectively.
24
WB C152
WB C151
Size of
corrosion
WB C153
Procedure for
inspection
Accessibility
WB C154
Accessibility for
execution of inspection
WBC155
Competence
of inspector
Time pressure
Competence regarding
execution of inspection
Offshore experience
C33
Process
complexity
WB C333
WB C332
WB C331
Accessibility for
execution of inspection
WBC335
Tidiness and
cleaning
Painting
Accessibility
Possibility to reveal
diffuse discharges due to
process complexity
WB C334
Quality of painting on
pipes
Time pressure
C36
WB C361
Process
complexity
Possibility to reveal
diffuse discharges due to
process complexity
WB C362
Accessibility
Accessibility for
execution of inspection
WB C363
WB C364
Tidiness and
cleaning
Painting
Quality of painting on
pipes
25
WB C365
WB C366
Procedures for
area based
leak search
Method for area based
leak search, visual or
use of portable
detectors
Time pressure
3.4
Sensitivity analyses
One of the purposes of the case study was to analyse the effect of changes and assess
whether BORA-Release is suitable to analyse the effect of risk reducing measures
and changes that may increase the hydrocarbon release frequency.
The following risk reducing measures was analysed for scenario A and B in order to
calculate the effect on the release frequency:
1. Implementation of an additional barrier, 3rd party control of work (control of
closed valves) for scenario A. The probability of failure to specify 3rd party
control is 0.1.
2. Improvement of the score of all RIFs by one grade (from D to C, from C to B,
etc.).
3. Improvement of the score of the RIF Communication (from D to C). This RIF
influences basic event B33 in scenario B.
4. Improvement of the RIF Time pressure (from D to C). This RIF influences
several basic event in scenario A as well as scenario B.
The results of the sensitivity analyses for scenario A and B are shown in Table 7.
The sum of the release frequency for scenario A and B (A + B from Table 2 and
Table 4) is used as base case frequency.
Table 7. Results from sensitivity analyses for scenario A and B.
Sensitivity Input
Base case Sensitivity Change
no.
data
frequency frequency (%)
1
Generic
0.0295
0.0068
-76.9
Revised
0.0453
0.0143
-68.3
2
Generic
0.0295
0.0295
0.0
Revised
0.0453
0.0179
-60.5
3
Generic
0.0295
0.0295
0.0
Revised
0.0453
0.0443
-2.1
4
Generic
0.0295
0.0295
0.0
Revised
0.0453
0.0326
-27.9
The following sensitivity analyses have been executed for scenario C in order to
analyze the effect on the release frequency due to changes in RIFs influencing the
corrosion scenario:
26
27
28
BORA-Release has been used to analyse three hydrocarbon release scenarios on one
specific oil and gas production platform on the Norwegian Continental Shelf.
Application of BORA-Release for analysis of the loss of containment barrier
evidently presents a more detailed risk picture than traditional QRA since no
analyses of causal factors of hydrocarbon release are carried out in existing QRA.
Analysis of consequence reducing barriers on the platform has not been within the
scope of the case study.
The qualitative modelling of the release scenarios by use of barrier block diagrams
has raised the question of which type of barriers that most effectively may prevent
hydrocarbon release among personnel in the oil company. One example is the
discussions of whether 3rd party control of work to reveal potential valve(s) in wrong
position should be implemented as part of the flowline inspection. This discussion
was supported by the results from the sensitivity analyses that showed that
implementation of an additional barrier (3rd party control of work) in scenario A
reduced the release frequency from scenario A and B with 77 % by use of generic
data and 68 % by use of revised data. Similarly, the qualitative modelling of barrier
performance by use of fault trees and risk influence diagrams raised the
consciousness of different RIFs that influenced the barrier performance.
A main question as regards the quantitative results is whether the calculated release
frequencies are trustworthy (i.e., we have confidence to the frequencies being able to
provide good predictions of the actual number of releases) since the analysis is based
on a number of assumptions and simplifications. These relate to the basic risk
model, the generic input data, the risk influence diagrams, the scoring of RIFs, the
weighting of RIFs, or the adjustment of the input data. The quantitative results in the
case study for scenario A and B based on generic data were assessed to be
reasonable compared to release statistics. This view was supported by the comments
from the personnel from the actual oil company. The confidence in the results based
on the revised input data was not as good due to use of the RNNS-data for scoring of
RIFs. Since the scoring was based on few and generic questions not originally meant
to be used as basis for RIF-scoring, the validity4 of the scoring was assessed to be
low. The main reason for use of RNNS-data to assess the status of RIFs in the case
study was the demand for use of existing data in order to minimize the use of
resources from the industry representatives in the steering group for the BORA
project. Since the revised release frequency to a high degree was influenced by the
29
results from the RNNS-survey, the approach chosen for scoring of RIFs should be
discussed in the further work.
Another aspect of the scoring is how specific the assessment of the status of RIFs
needs to be. This may be illustrated by an example; is it sufficient to assess the
competence in general for all groups of personnel on a platform, or is it necessary to
assess the competence for each group in order to reflect differences between the
groups? As far as possible, the level of detail should be sufficiently detailed and
specific to reflect scenario specific factors, but in practice, it may be necessary to be
somewhat more general.
The confidence in the quantitative results from the corrosion scenario by personnel
from the actual oil company is lower than for scenario A and B. The corrosion
phenomenon is a complex and dynamic scenario and several assumptions made
during the work should be further discussed. The present version is a test model and
further research is required to better reflect how more aspects of the corrosion
scenario influence the release frequency, e.g., the effect of the inspection reliability
(see [13] for a discussion of attributes characterizing barrier performance).
The case study has demonstrated that BORA-Release is a useful tool for analysing
the effect on the hydrocarbon release frequency of safety barriers introduced to
prevent hydrocarbon releases, and to study the effect on the barrier performance of
platform specific conditions of technical, human, operational, and organizational
RIFs. One of the main application areas of BORA-Release may be to study the
effect on the release frequency of risk reducing measures or risk increasing changes.
When it comes to further work, BORA-Release should be applied for analysis of the
other release scenarios described in [5]. This set of release scenarios is considered to
constitute a comprehensive and representative set of hydrocarbon release scenarios
where the initiating events cover the most frequent causes of hydrocarbon
releases. The scenarios include the most important barrier functions and barrier
systems introduced prevent hydrocarbon release. A detailed analysis of these
scenarios will increase the knowledge about how safety barriers influence the release
frequency, and how technical, human, operational, and organisational RIFs influence
the barrier performance on a platform.
The main focus on the further development of BORA-Release should be on other
methods for assessment of the status of RIFs. Two possible ways are use of results
from the TTS project [14], or to develop specific scoring schemes for the different
RIFs similar to BARS as described in Jacobs and Haber [15]. Since the main focus
30
Acknowledgements
The case study is carried out as part of the BORA-project financed by the
Norwegian Research Council, The Norwegian Oil Industry Association, and Health
and Safety Executive in UK. The authors acknowledge personnel from the actual oil
company that attended the workshops, and Helge Langseth at SINTEF for valuable
input as regards quantification of the inspection effectiveness.
References
31
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
32
Paper 5
Snorre Sklet
Journal of Hazardous Materials
2004, Volume 111, Issues 1 3, Pages 29 37
Abstract
Even if the focus on risk management is increasing in our society, major accidents resulting in several fatalities seem to be unavoidable
in some industries. Since the consequences of such major accidents are unacceptable, a thorough investigation of the accidents should be
performed in order to learn from what has happened, and prevent future accidents.
During the last decades, a number of methods for accident investigation have been developed. Each of these methods has different areas of
application and different qualities and deficiencies. A combination of several methods ought to be used in a comprehensive investigation of a
complex accident.
This paper gives a brief description of a selection of some important, recognised, and commonly used methods for investigation of accidents.
Further, the selected methods are compared according to important characteristics.
2004 Elsevier B.V. All rights reserved.
Keywords: Accident investigation; Risk management; Accidents
1. Introduction
Even if the frequency is low, major accidents seem to
be unavoidable in some low-frequency, high consequence
industries. The process industry accidents at Longford
[1] and on the Piper Alpha platform [2], the loss of the
space-shuttles Challenger [3] and Colombia [4], the high
speed craft Sleipner-accident [5], and the railway accidents
at Ladbroke Grove [6] and sta [7] are all tragic examples
on major accidents in different industries. The consequences
of such major accidents are not accepted in our society,
therefore major accidents should be investigated in order
to prevent them from reoccurring (called organisational
learning by [8]). This is also in accordance with the evolutionary strategy for risk management (one out of three main
strategies) described by [9].1
E-mail address: Snorre.Sklet@sintef.no (S. Sklet).
[9] described the following three strategies for risk management:
30
The
The
The
The
The
The
The next characteristic considered, is what kind of accident models that have influenced the method. This characteristic is assessed because the investigators mental models
of the accident influence their view of accident causation.
The following accident models are used (further description
of the models is given by Kjelln [11]):
A.
B.
C.
D.
E.
Causal-sequence model.
Process model.
Energy model.
Logical tree model.
SHE-management models.
Event chain
Ask questions to
determine causal
factors (why, how,
what, and who)
31
Causal factor
Causal factor
Condition
Event
Condition
Event
1.
2.
3.
4.
32
Meta decisions
Process, procedures,
structure, culture
Organizational
level
Ok
Decisions and
actions level
Decisions in
specific cases
Aij
Basic events
Effects
on component reliability
Ei
(component failures
and operator errors)
Second, for each of these basic events, the human decisions and actions (noted Aij ) influencing these basic events
are identified and classified in meaningful categories (in the
case of Piper Alpha, these categories were: (i) design decisions; (ii) production and expansion decisions; (iii) personnel management; and (iv) inspection, maintenance, and
correction of detected problems).
The third step is to relate the decisions, human errors,
and questionable judgements that contribute to the accident to a certain number of basic organisational factors.
These factors may be rooted in the characteristics of the
company, the industry or even the government authorities.
Both the basic events (accident scenario), the decisions
and actions influencing these basic events, the basic organisational factors, and the dependencies among them, are illustrated in an influence diagram.
An event tree is used to analyse event sequences following after an initiating event [26]. The event sequence is influenced by either success or failure of numerous barriers or
safety functions/systems. The event sequence leads to a set
of possible consequences. The consequences may be considered as acceptable or unacceptable. The event sequence
is illustrated graphically where each safety system is modelled for two states, operation and failure.
An Event tree analysis is primarily a proactive risk analysis method used to identify possible event sequences, but the
event tree may also be used to identify and illustrate event
sequences and to obtain a qualitative and quantitative representation and assessment. In an accident investigation we
may illustrate the accident path as one of the possible event
sequences.
3.8. MORT
MORT [13] provides a systematic method (analytic tree)
for planning, organising, and conduction a comprehensive
accident investigation. Through MORT analysis, investigators identify deficiencies in specific control factors and
in management system factors. These factors are evaluated and analysed to identify the causal factors of the
accident.
Basic
causes
Immediate
causes
33
Incident
Loss
Contact with
energy,
substance
or people
People
Property
Product
Environment
Service
Inadequate:
Program
Program
standards
Compliance
to standards
Personal
factors
Job factors
Substandard
acts
Substandard
conditions
Basically, MORT is a graphical checklist in which contains generic questions that investigators attempt to answer
using available factual data. This enables investigators to focus on potential key causal factors.
3.11. MTO-analysis
The basis for the MTO-analysis is that human, organisational, and technical factors should be focused equally in
an accident investigation [28,29].2 The method is based on
Human Performance Enhancement System (HPES) which
is not described further in this paper.
The MTO-analysis is based on three methods:
Normal
Deviation
Change analysis
34
(Causes)
Barrier analysis
(Chain of
events)
Failed control
Hazard
Latent
failure(s)
Precondition(s)
Active
failure(s)
Accident/
event
Victim or
target
Failed defence
Failed controls
or defences
Accident
35
Table 1
Characteristics of different accident investigation methods
Method
Accident
sequence
Focus on
safety barriers
Levels of
analysis
Accident
model
Primary/secondary
Analytical approach
Training need
Yes
Yes
No
No
No
No
No
No
No
No
Yes
Yes
No
Yes
No
No
Yes
Yes
No
No
Yes
Yes
Yes
Yes
No
No
Yes
Yes
Yes
Yes
14
14
12
14
14
12
16
13
24
14
16
14
13
14
16
B
B
C
B
A
D
B/E
D
D/E
A/E
B
B
B
A
A/B/D/E
Primary
Secondary
Secondary
Secondary
Secondary
Primary/Secondary
Secondary
Primary/Secondary
Secondary
Secondary
Primary
Primary
Secondary
Primary
Primary
Non-system oriented
Non-system oriented
Non-system oriented
Non-system oriented
Non-system oriented
Deductive
Non-system oriented
Inductive
Deductive
Non-system oriented
Non-system oriented
Non-system oriented
Morpho-logical
Non-system oriented
Deductive & inductive
Novice
Specialist
Novice
Novice
Specialist
Expert
Specialist
Specialist
Expert
Specialist
Novice
Specialist/expert
Specialist
Specialist
Expert
36
and Causal Factors Charting and Analysis, STEP, MTOanalysis, TRIPOD and Acci-map are all primary methods.
The fault tree analysis and Event tree analysis might be both
primary and secondary methods. The other methods are secondary methods that might give valuable input to the other
investigation methods.
The different methods may have a deductive, inductive,
morphological, or non-system oriented approach. Fault tree
analysis and MORT are deductive methods while event three
analysis is an inductive method. Acci-map might be both
inductive and deductive. The AEB-method is characterised
as morphological, while the other methods are non-system
oriented.
The last characteristic assessed, is the need of education and training in order to use the methods. The terms
Expert, Specialist and Novice are used in the table.
Fault tree analysis, MORT and Acci-map enter into the
expert-category. ECFC, barrier analysis, change analysis
and STEP enter into the category novice. Specialist is
somewhere between expert and novice, and Events and
Causal Factors Analysis, Root cause analysis, Event tree
analysis, SCAT, MTO-analysis, AEB-method and TRIPOD
enter into this category.
5. Conclusion
Seen from a safety scientists view, the aim of accident
investigations should be to identify the event sequences and
all (causal) factors influencing the accident scenario in order to be able to suggest risk reducing measures suitable for
prevention of future accidents. Experience from accidents
shows that major accidents almost never result from one single cause, but most accidents involve multiple, interrelated,
causal factors. All actors or decision-makers influencing the
normal work process might also influence accident scenarios, either directly or indirectly. This complexity should be
reflected in the accident investigation process, and there may
be need for analytical techniques to support the investigators
to structure information and focus on the most important
features.
Several methods for accident investigation have been developed during the last decades. Each of the methods has
different areas of application and qualities and deficiencies,
such that a combination of methods ought to be used in a
comprehensive investigation of a complex accident. A selection of methods is described in this paper and the methods
are compared according to some characteristics. This comparison is summarised in Table 1.
Some of the methods may be used to visualise the accident sequence, and are useful during the investigation
process because it provides an effective visual aid that summarises key information and provide a structured method
for collecting, organising and integrating collected evidence
to facilitate communication among the investigators. Graphical illustrations also help identifying information gaps.
References
[1] A. Hopkins, Lessons from Longford, CCH Australia Limited, Australia, 2000, ISBN 1 86468 422 4.
[2] Cullen, The Public Inquiry into the Piper Alpha Disaster, HMSO
Publication, United Kingdom, 1990, ISBN 0 10 113102.
[3] D. Vaughan, The Challenger Launch Decision: Risky Technology,
Culture and Deviance at NASA, University of Chicago Press, London,
1996.
[4] NASA, 2003, http://www.nasa.gov/columbia/.
[5] NOU, Hurtigbten MS Sleipners forlis 26 November 1999, Justisdepartementet, vol. 31, 2000.
[6] Cullen, The Ladbroke Grove Rail Inquiry: Report, Part 1, HSE
Books, United Kingdom, 2001, ISBN 0 7176 2056 5.
[7] NOU, sta-ulykken, vol. 30, Justisdepartementet, 4 Januar 2000.
[8] A. Hale, Introduction: the goals of event analysis, in: A. Hale,
B. Wilpert, M. Freitag (Eds.), After The Event From Accident to
Organizational Learning, Pergamon Press, 1997, ISBN 0 08 0430740.
[9] J. Rasmussen, Risk management in a dynamic society: a modelling
problem, Safety Sci. 27 (23) (1997) 183213.
[10] DOE, Conducting Accident Investigations, DOE Workbook, Revision 2, US Department of Energy, Washington, DC, USA, 1 May
1999.
[11] U. Kjelln, Prevention of Accidents Thorough Experience Feedback,
Taylor & Francis, London, UK, 2000, ISBN 0-7484-0925-4.
37
[12] CCPS, Guidelines for Investigating Chemical Process Incidents, Center for Chemical Process Safety of the American Institute of Chemical Engineers, 1992, ISBN 0-8169-0555-X.
[13] W.G. Johnson, MORT Safety Assurance Systems, Marcel Dekker,
New York, USA, 1980.
[14] K. Hendrick, L. Benner Jr., Investigating Accidents with STEP,
Marcel Dekker, New York, 1987, ISBN 0-8247-7510-4.
[15] J. Groeneweg, Controlling the controllable, The Management of
Safety, 4th ed., DSWO Press, Leiden University, The Netherlands,
1998.
[16] O. Svensson, Accident Analysis and Barrier Function (AEB)
MethodManual for Incident Analysis, ISSN 1104-1374, SKI Report 00:6, Sweden, 2000.
[17] A.D. Livingston, G. Jackson, K. Priestley, Root Causes Analysis:
Literature Review, Contract Research Report 325/2001, HSE Books,
2001, ISBN 0 7176 1966 4.
[18] DOE, Implementation Guide For Use With DOE Order 225.1A, Accident Investigations, DOE G 225.1A-1, Revision 1, US Department
of Energy, Washington, DC, USA, 26 November 1997.
[19] U. Kjelln, T.J. Larsson, Investigating accidents and reducing
risksa dynamic approach, J. Occup. Accid. 3 (1981) 129140.
[20] J. Reason, Managing the Risks of Organizational Accidents, Ashgate,
England, 1997, ISBN 1 84014 105 0.
[21] T. Kletz, Learning from Accidents, 3rd ed., Gulf Professional Publishing, UK, 2001, ISBN 0 7506 4883 X.
[22] IAEA, INSAG-12, Basic Safety Principles for Nuclear Power Plants
75-INSAG-3, Revision 1, IAEA, Vienna, 1999.
[23] CCPS, Layer of Protection Analysis Simplified Process Risk Assessment, Center for Chemical Process Safety, New York, 2001, ISBN
0-8169-0811-7.
[24] A. Hyland, M. Rausand, System reliability Theory: Models and
Statistical Methods, Wiley, New York, 1994, ISBN 0-471-59397-4.
[25] M.E. Pat-Cornell, Learning from the piper alpha accident: a postmortem analysis of technical and organizational factors, Risk Analysis, vol. 13, No. 2, 1993.
[26] A. Villemeur, Reliability, Availability, Maintainability and Safety
AssessmentMethods and Techniques, vol. 1, Chichester, UK, 1991,
ISBN 0 471 93048 2.
[27] F.E. Bird Jr., G.L. Germain, Practical Loss Control Leadership, International Loss Control Institute, Georgia, USA, 1985, ISBN 088061-054-9.
[28] C. Rollenhagen, MTOEn Introduktion, Sambandet Mnniska,
Teknik och Organisation, Studentlitteratur, Lund, Sweden, 1995,
ISBN 91-44-60031-3.
[29] J.P. Bento, MTO-analys av hndelsesrapporter, OD-00-2, Oljedirektoratet, Stavanger, 1999.
[30] J. Rasmussen, I. Svedung, Proactive Risk Management in a Dynamic
Society, Swedish Rescue Services Agency, 2000, ISBN 91-7253084-7.
[31] J. Reason, et al., TRIPODA Principled Basis for Accident Prevention, 1988.
Paper 6
O. Tjelta
Petroleum Safety Authorithy Norway
ABSTRACT: There has been established a common goal to reduce the number of major hy-
drocarbon releases by 50 % in the Norwegian oil and gas industry. Several initiatives have
been established including initiatives focusing on barriers to improve the safety standards.
Traditionally a lot of attention has been directed towards leakages from the topside process
equipment on the platform. However, in order to meet the overall objectives of the industry,
focus should also be put on the risk of release during well interventions. This paper presents
results from a case study where the main objective has been to analyse the risk of release of
hydrocarbons associated with well interventions. The focus of the case study has been wireline operations, and the purpose has been to identify and analyze physical and non-physical
barriers aimed to prevent release of hydrocarbons during wireline operations.
1 INTRODUCTION
1.1 Background
There has been established a common goal
to reduce the number of major hydrocarbon
(HC) releases by 50 % in the Norwegian oil
and gas industry. Several initiatives have
been established including initiatives focusing on barriers to improve the safety standards. It has been stressed that leakages
could serve as the most leading indicator
with regards to major accidents (ien &
Sklet, 2001).
Traditionally a lot of attention has been
directed towards leakages from the topside
process equipment on the platforms. However, in order to meet the overall objectives
of the industry, focus should also be put on
Qualitative analysis of human, technical, and operational barrier elements during well interventions
In 2002, PSA initiated a project that focused on the risk of release of hydrocarbons
during well interventions. The main objective of this project has been to ensure a better and more systematic understanding of
human, technological and organizational aspects of the risk associated with well interventions.
Further, the objectives may be summarized as:
To improve planning (both onshore and
offshore) and improve the co-operation
between onshore and offshore personnel.
To identify both physical and nonphysical barriers aimed to prevent release
of hydrocarbons during wireline operations (WL).
To ensure transfer of experience between
companies.
To improve the understanding of well interventions for the authorities by performing a case study focusing on wireline operations.
One way to achieve these objectives has
been to establish contact and cooperation
between risk analysts, accident investigators
and operational personnel in oil companies
and wireline contractors.
Qualitative analysis of human, technical, and operational barrier elements during well interventions
measures to protect the public and the environment from harm in case these barriers are
not fully effective".
Traditionally, the focus on barriers
within the drilling and well intervention
sphere has been rather technical or physical
which is illustrated by the following definition of well barrier in a NORSOK standard;
well barrier is defined as well envelope of
one or several dependent barrier elements
preventing fluids or gases from flowing unintentionally from the formation, into another formation or to surface (NORSOK,
2004). The defined well barriers in this
standard for wireline operations are illustrated in Figure 1.
The well barrier elements are classified
as primary well barriers or secondary well
barriers as shown in Table 1, and from this
table we see that all the well barrier elements are physical. Furthermore, we see that
most of the elements are placed down in the
well, but the subject of interest in our project has been the wireline equipment assembled on top of the valve tree.
However, experience from well intervention incident reports shows that it is important not only to focus on the technical aspects of the barriers. The incident reports
show that it is also important to include human and organizational aspects to enable the
physical barriers to function and be maintained. Operational activities as leak tests
functions as barriers against failure of the
physical envelope preventing fluids or gas
from flowing from the formation.
control equipment
Qualitative analysis of human, technical, and operational barrier elements during well interventions
8. Wireline lubricator
9. Wireline stuffing box/
grease injection head
Secondary well barrier
1. Casing cement
2. Casing
3. Wellhead
4. Tubing hanger
5. Surface production tree
6. Wireline safety head
Comments
Legend;
BLR wireline BOP cable ram
SLR wireline BOP slick line ram
SSR wireline BOP cut valve, integrated in
wireline BOP
Figure 1. Well barrier elements (NORSOK,
2004).
Qualitative analysis of human, technical, and operational barrier elements during well interventions
RELEASE SCENARIOS
As seen in Table 2, incidents have occurred during all the phases of the wireline
operations. The analysis of the event sequences and the causes of the incidents
showed that both technical and human failures caused the incidents. These facts were
allowed for during the development of the
release scenarios.
Three of the most serious incidents were
analyzed in more detail, and one important
finding was the importance of a good understanding of the risk associated with each
specific wireline operation in order to obtain
an adequate situational awareness. This emphasizes the importance of an adequate risk
analysis of the operation that is allowed for
in the detailed planning of each wireline operation.
3 RESULTS
The main results presented in this paper are;
a) some findings from the review of incident
reports, and b) a set of release scenarios that
may lead to undesired release of hydrocarbons during wireline operations.
5
Qualitative analysis of human, technical, and operational barrier elements during well interventions
Qualitative analysis of human, technical, and operational barrier elements during well interventions
Comments;
By a diffuse release is meant a very
small release that usually not will be detected by gas detectors or will be registered in any incident registration system
like Synergi.
If the wireline BOP closes, the stuffing
box may be repaired.
Critical event if this occurs at the same
time as the wireline equipment is stuck in
the wireline BOP/valve tree and hinders
the closing of valves.
Hydraulic master valve in valve tree is
qualified as wireline shear valve on
some platforms, but not on all.
If all these barriers fail, it may still be
possible to recover the safe state, either
by closing the downhole safety valve or
by killing the well by mud through the
kill wing valve on the valve tree.
Qualitative analysis of human, technical, and operational barrier elements during well interventions
Comments;
Visual inspection of the gaskets is performed prior to assembling, but it may be
difficult to reveal potential damage in the
gasket after assembling.
It doesnt exist data for how often failures are made during assembling of lubricators, but the interviews indicate that
during leak testing failures are revealed
up to 1 out of 20 times.
Comments;
The blow out preventing plugs in the
stuffing box/grease injection head may
be of different types.
The cable may be broken by an incident
or as an intended action due to operational problems like the wireline equipment got stuck in the well, need for interrupting the wireline operation due to bad
weather conditions, etc.
During pulling out of the hole factors as
time pressure and tool weight is important.
Qualitative analysis of human, technical, and operational barrier elements during well interventions
were preferred as modeling technique because it gives a clear and consistent representation of the different barrier functions
and elements which are available in order to
prevent releases despite of occurrences of
the initiating events. Further, it enables
separate analysis of different barrier functions by use of suitable analysis methods
(e.g., fault tree analysis). By defining the
initiating event different from the release,
focus is automatically moved towards likelihood reducing measures.
These barrier systems include technical,
organizational and human aspects. For a
more detailed description of barrier block
diagrams, see Sklet & Hauge (2004).
In Figure 2 Figure 4 barrier block diagrams for the same three scenarios as described in subsection 3.2 are shown in order
to illustrate the principles.
Diffuse release in
stuffing box/grease
injection head
Recovery of pressure
control in stuffing box/
grease injection head
Failure during
assembling of
lubricator
3rd party
inspection of
work
Leak test
WL seal BOP
closes
Depressurization/draining
Depressurization/draining
Small release
WL shear/seal
BOP closes
HMV in valve
tree closes
Release
Blowout plug
in stuffing
box
Safe state
WL seal
BOP closes
Safe state
WL seal BOP
closes
Failure during
assembling
revealed
Depressurization/draining
Small
release
WL shear/
seal BOP
closes
Small release
HMV in
valve tree
closes
WL shear/seal
BOP closes
Release
HMV in valve
tree closes
Release
Figure 2. Release of hydrocarbons due to leakage in stuffing box/ grease injection head.
Qualitative analysis of human, technical, and operational barrier elements during well interventions
Diffuse leak in
stuffing box
Cable breakage
Failure during
assembling of
lubricator
Hydrocarbon
release
Failure during
assembllng of WL
riser
Failure during
hook-up of hose to
closed drain
WL equipment
damaged by
falling objects
Valve on closed
drain in wrong
position after WL
4 DISCUSSION
Well interventions have other attributes than
the normal production or processing of hydrocarbons on the platforms, and have a risk
of leakages. The literature on well interven10
Qualitative analysis of human, technical, and operational barrier elements during well interventions
5 CONCLUSIONS
This paper has presented some results from
a study focusing on physical and nonphysical barriers aimed to prevent release of
hydrocarbons during wireline operations on
oil and gas production platforms.
The basic requirement is that during
drilling and well operations, there should at
all times be at least two independent and
tested well barriers.
Eight release scenarios has been developed reflecting different causes of release
and illustrating different types of barriers
aimed to prevent release. Our study has revealed some non-physical barriers that seem
to be important in order to prevent release of
hydrocarbons in addition to the physical
barriers. The most important non-physical
barriers are;
System for verification of depressurized
and drained system before disassembling
of normally pressurized hydrocarbon
systems.
11
Qualitative analysis of human, technical, and operational barrier elements during well interventions
6 ACKNOWLEDGEMENTS
We would like to express our sincere gratitude to all the people who has been willing
to share information and discuss these issues
with us both onshore and offshore. A special
thanks to the companies Statoil and Maritime Well Service for their active involvement in the project. However, the contents
of this paper are the responsibility of the authors only.
7 REFERENCES
Gibson, J. J., 1961. The contribution of experimental psychology to the formulation of the
problem of safety- a brief for basic research.
In Behavioral Approaches to Accident Research. New York: Association for the Aid
of Crippled Children, pp. 77-89. Reprinted in
W. Haddon, E. A. Schuman and D. Klein
(1964): Accident Research: Methods and
Approaches. New York: Harper & Row.
Haddon, W.,1970. On the escape of tigers: An
ecological note. Technological review, 72
12
Paper 7
Standardised procedures for Work Permits and Safe Job Analysis on the
Norwegian Continental Shelf
Paper 8
ABSTRACT: One of the main principles for the safety work in high-risk industries such as
the nuclear and process industry, is the principle of defence-in-depth that imply use of multiple safety barriers or safety functions in order to control the risk.
Traditionally, there has been a strong focus on the design of safety functions. However, recent standards and regulations focus on the entire life cycle of safety functions, and this paper
focuses on the surveillance of safety functions during operations and maintenance. The paper
presents main characteristics of safety functions, factors influencing the performance, a failure category classification scheme, and finally a discussion of challenges related to the surveillance of safety functions during operations and maintenance. The discussion is based on
experiences from the Norwegian petroleum industry and results from a research project concerning the reliability and availability of computerized safety systems.
The main message is that there should be an integrated approach for surveillance of safety
functions that incorporates hardware, software and human/organizational factors, and all failure categories should be systematically analyzed to 1) monitor the actual performance of the
safety functions and 2) systematically analyze the failure causes in order to improve the functionality, reliability and robustness of the safety functions.
1 INTRODUCTION
One of the main principles for the safety
work in high-risk industries such as the nuclear and process industry, is the principle
of defence-in-depth or use of multiple layers
of protection (IAEA 1999, Reason 1997,
CCPS 2001).
The Norwegian Petroleum Directorate
(NPD) emphasizes this principle in their
new regulations concerning health, safety
and environment in the Norwegian offshore
industry (NPD, 2001a). An important issue
in these new regulations is the focus on
safety barriers, and in the first section of the
be implemented by a SIS (Safety Instrumented System), other technological safetyrelated system or external risk reduction facilities which is intended to achieve or
maintain a safe state for the process in respect to a specific hazardous event. An important part of the standards is a risk-based
approach for determination of the safety integrity level requirements for the different
safety functions. IEC 61508 is a generic
standard common to several industries,
while the process industry currently develops a sector specific standard for application
of SIS, i.e., IEC 61511 (IEC 2002). In Norway, the offshore industry has developed a
guideline for the use of the standards IEC
61508 and IEC 61511 (OLF 2001), and the
Norwegian Petroleum Directorate (NPD) refers to this guideline in their new regulations (NPD 2001a). Overall, it is expected
that these standards will contribute to a
more systematic safety work and increased
safety in the industry.
Further, the NPD in section 7 in the
management regulation (NPD, 2001a) requires that the party responsible shall establish monitoring parameters within his areas of activity in order to monitor matters of
significance to health, environment and
safety, and that the operator or the one responsible for the operation of a facility,
shall establish indicators to monitor changes
and trends in major accident risk. These
requirements imply a need for surveillance
of safety functions during operation. In accordance
with
these
requirements,
NORSOK (2001) suggests that verification
of that performance standards for safety and
emergency preparedness systems are met in
the operational phase may be achieved
through monitoring trends for risk indicators. [] Examples of such indicators may
be availability of essential safety systems.
Also IEC requires proof testing and inspec-
2 CHARACTERISTICS OF SAFETY
FUNCTIONS
Safety functions may be characterized in
different ways, and some of the characteristics influence how the surveillance of the
safety function is performed. The following
characteristics are further discussed in this
section: type of safety function, local vs.
global safety functions and active vs passive
systems.
IEC 61511 (IEC 2002) defines a safety
function as a function to be implemented
by a SIS, other technology safety-related
system or external risk reduction facilities,
which is intended to achieve or maintain a
safe state for the process, in respect of a
specific hazardous events. By SIS IEC
means an instrumented system used to implement one or more safety instrumented
functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final
element(s). Other technology safety-related
Sensor
(instrument,
mechanical or
human)
Decision making
process
(logic solver,
relay, mechanical
device, human)
Action
(instrument,
mechanical, or
human)
Safety
function
Detection
HC
leakage
Automatic
detection
Decison
Action
Logic solver
Closure of
ESD-valve
Other
alarm
Manual
detection
Human
decision
Prevent strong
explosion
Event sequence
Safety
function
Strong
explosion
Hydrocarbon
leakage
Prevent HC
leakage
Spreading of
HC
Ignition
4 FAILURE CLASSIFICATION
Escalation of
fire
Prevent spreading of HC
Prevent
ignition
Prevent fatalities
ure, occurring at a random time, which results from one or more of the possible
degradation mechanisms in the hardware".
IEC 61508-4 (Section 3.6.6) defines a systematic failure as a "failure related in a deterministic way to a certain cause, which
can only be eliminated by a modification of
the design or the manufacturing process,
operational procedures, documentation or
other relevant factors".
The standard defines "hardware-related
Common Cause Failures (CCFs) (IEC
61508-6, Section D.2): "However, some
failures, i.e., common cause failures, which
result from a single cause, may affect more
than one channel. These may result from a
systematic failure (for example, a design or
specification mistake) or an external stress
leading to an early random hardware failure". As an example, the standard refers to
excessive temperature of a common cooling
fan, which accelerates the life of the component or takes it outside its specified operating environment.
Hokstad & Corneliussen (2003) suggest
a notation that makes a distinction between
random hardware failures caused by natural
ageing and those caused by excessive
stresses (and therefore may lead to CCFs).
The classification also defines systematic
failures in more detail. The suggestion is an
update of the failure classification introduced in the PDS project, (Aar et al 1989),
but adapted to the IEC 61508 notation, and
hence should not be in conflict with that of
IEC 61508. The concepts and failure categorization suggested by Hokstad and Corneliussen (2003) is shown in Figure 4.
Failure
Random
Hardware
(Physical)
Systematic
(Non-physical)
Failure
causes
Ageing
Natural ageing
(within design
envelope)
Stress
y
y
y
Sandblasting
Humidity
Overheating
Interaction
Random:
y Scaffolding
cover up
sensor
Test/periodic:
y Leave in
by-pass
y Cover up
sensor
Design
y
y
Software error
Sensor does
not distinguish
true and false
demand
Wrong location
of sensor
5 SURVEILLANCE OF SAFETY
FUNCTIONS
This section discusses the surveillance of
safety functions during operation related to
the failure classification in the previous section.
The requirements for surveillance are related to the functional safety, and not only
to the quantitative SIL requirements (see
section 4). In IEC 61508-2, section 7.6.1 it
is stated that one should develop procedures to ensure that the required functional
safety of the SIS is maintained during operation and maintenance, and more explicitly stated in IEC 61511-1, section 16.2.5,
the discrepancies between expected behavior and actual behavior of the SIS shall be
analyzed and where necessary, modification
made such that the required safety is main6
location (of sensor), and other shortcomings in the functional testing (the test
demand is not identical to a true demand
and some part of the function is not
tested).
Interaction errors that occur during functional testing, e.g., maintenance crew
forgetting to test specific sensor, tests
performed erroneously (wrong calibration or component is damaged), maintenance personnel forgetting to reset bypass of component.
Thus, most systematic failures are not
detected even by functional testing. In almost all cases it is correct to say that functional testing will detect all random hardware failures but no systematic failures.
The functional tests may be tests of:
The entire system/function typically performed when the process is down, e.g.,
due to revision stops.
Components or sub-functions. Component tests are normally performed when
the process is in operation.
Component tests are more frequent than
the system tests due to less consequences on
production. Experience do, however, show
that full tests (from input via logic to output
device) always encounter failures not captured during component tests.
In IEC 61511-1, inspection is described
as periodical visual inspection, and this
restricts the inspections to an activity that
reveals for example unauthorized modifications and observable deteriorations of the
components. An operator may also detect
failures in between tests (Random detection). For instance the panel operator may
detect a transmitter that is stuck or a sensor left in by-pass (systematic failure).
6 DISCUSSION
The data from the various activities described above should be systematically analyzed to 1) monitor the actual performance
of the safety functions and 2) systematically
analyze the failure causes in order to improve the performance of the function. The
organization should handle findings from all
above surveillance activities, and should focus on both random hardware and systematic failures. The failure classification in
PDS may assist in this work.
6.1 Performance of safety functions
As stated above, the performance of
safety functions has three elements: 1) the
functionality/efficiency, 2) the reliability,
and 3) the robustness. The functionality is
influenced by systematic failures. Since
these failures seldom are revealed during
testing, it is necessary to register systematic
failures after actual demands or events that
are observed by the personnel (inhibition of
alarms, scaffolding, etc.).
Traditionally, the reliability is quantified
as the probability of failure on demand
(PFD) and is mainly influenced by the dangerous undetected random hardware failure
rate (DU), the test interval () and the fraction of common cause failures ().
The PDS-method (Hokstad & Corneliussen 2003), however, accounts for major factors affecting reliability during system operation, such as common cause failures,
automatic self-tests, functional (manual)
testing, systematic failures (not revealed by
functional testing) and complete systems including redundancies and voting. The
method gives an integrated approach to
hardware,
software
and
human/organizational factors. Thus, the model
based on. OLF suggests an approach for assessment of the failure rate (OLF, 2001), but
the oil companies have not implemented this
approach fully yet.
6.3 Analysis of systematic failures
As described earlier, the systematic failures
are almost never detected in the tests or by
inspection, but it is important to analyze the
systematic failures that occur in detail and
have a system to control systematic failures.
Systematic failures are usually logged in
other systems than the CMMS, but the information is normally not analyzed in the
same detail as the data from functional tests.
In particular, it is important to investigate
the actions taken by the safety functions
when an actual demand occurs. Systematic
analysis of gas leaks is important for gas detection systems. Such analyses may indicate
if the sensors have wrong location and do
not detect gas leakages. In addition, other
systems like incidents investigation, systems
or procedures for inhibition of alarms, scaffolding work, and reset of sensors must be
in place and investigated periodically. Another possibility that could be utilized more
in the future, is to build in more detailed
logging features in the SIS logic, to present
the signal path when actual demands occur.
This type of logging might give details
about failed components and information
about how the leak was detected.
6.4 Procedure/system for collection of
failure data
Experiences from the failure cause analysis
should be used to improve the procedures
and systems for collection and analysis of
failure data. A structured analysis of failures
and events may reveal a potential for improvements in the actual maintenance or test
10
7 CONCLUSIONS
Recent standards and regulations focus on
the entire life cycle of safety functions, and
in this paper we have focused on the surveillance of safety functions during operations
and maintenance.
The main message is that there should be
an integrated approach for surveillance of
safety functions that incorporates hardware,
software and human/organizational factors,
and all failure categories should be systematically analyzed to 1) monitor the actual
performance of the safety functions and 2)
systematically analyze the failure causes in
order to improve the functionality, reliability and robustness of safety functions.
Not all surveillance activities reveal all
kind of failures, and a comprehensive set of
activities should be used. Failures of safety
functions should be registered during actual
demands (e.g. gas leaks), testing (functional
tests and self-tests), and inspection. The presented failure classification scheme can contribute to an understanding of which surveillance activities that reveal different types of
failures.
8 REFERENCES
Aar R, Bodsberg L, Hokstad P. Reliability Prediction Handbook; Computer-Based Process
Safety Systems. SINTEF report STF75
A89023, 1989.
Bodsberg L, Hokstad P. A System Approach to
Reliability and Life-Cycle Cost for Process
Safety Systems. IEC Trans. on Reliability,
Vol. 44, No. 2, 1995, 179-186.
Bodsberg L, Hokstad P. Transparent reliability
model for fault-tolerant safety systems. Reliability Engineering & System Safety, 55
(1996) 25-38.
CCPS, 2001. Layer of Protection Analysis
Simplified Process Risk Assessment. ISBN 08169-0811-7, Center for Chemical Process
11
12